Analysis

  • max time kernel
    104s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2024 02:15

General

  • Target

    4155015941e9b68d99c41343f43ca0e074fa1f680e7e3e3eae4246a4dd1d7315N.exe

  • Size

    512KB

  • MD5

    e07468119118c24ed175db2a6a9f8120

  • SHA1

    c1ea7e23a337dc4d627cf325c83e07704246142e

  • SHA256

    4155015941e9b68d99c41343f43ca0e074fa1f680e7e3e3eae4246a4dd1d7315

  • SHA512

    0517952f04196667cb6664663f035ddee7e70e3c1f9c841dfc416a5124b92a397e47a75fac421538474ce4caa3bd13715279f552bf596c077be8d7f6974e5aa7

  • SSDEEP

    6144:kBmDb853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:FQBpnchWcZ

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4155015941e9b68d99c41343f43ca0e074fa1f680e7e3e3eae4246a4dd1d7315N.exe
    "C:\Users\Admin\AppData\Local\Temp\4155015941e9b68d99c41343f43ca0e074fa1f680e7e3e3eae4246a4dd1d7315N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\SysWOW64\Afbgkl32.exe
      C:\Windows\system32\Afbgkl32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Windows\SysWOW64\Amlogfel.exe
        C:\Windows\system32\Amlogfel.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\SysWOW64\Aagkhd32.exe
          C:\Windows\system32\Aagkhd32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3092
          • C:\Windows\SysWOW64\Adfgdpmi.exe
            C:\Windows\system32\Adfgdpmi.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1084
            • C:\Windows\SysWOW64\Ahaceo32.exe
              C:\Windows\system32\Ahaceo32.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2788
              • C:\Windows\SysWOW64\Akpoaj32.exe
                C:\Windows\system32\Akpoaj32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1928
                • C:\Windows\SysWOW64\Aokkahlo.exe
                  C:\Windows\system32\Aokkahlo.exe
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2380
                  • C:\Windows\SysWOW64\Aajhndkb.exe
                    C:\Windows\system32\Aajhndkb.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:3440
                    • C:\Windows\SysWOW64\Apmhiq32.exe
                      C:\Windows\system32\Apmhiq32.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:216
                      • C:\Windows\SysWOW64\Ahdpjn32.exe
                        C:\Windows\system32\Ahdpjn32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:4164
                        • C:\Windows\SysWOW64\Aggpfkjj.exe
                          C:\Windows\system32\Aggpfkjj.exe
                          12⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1908
                          • C:\Windows\SysWOW64\Aonhghjl.exe
                            C:\Windows\system32\Aonhghjl.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Suspicious use of WriteProcessMemory
                            PID:3612
                            • C:\Windows\SysWOW64\Amqhbe32.exe
                              C:\Windows\system32\Amqhbe32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:1664
                              • C:\Windows\SysWOW64\Apodoq32.exe
                                C:\Windows\system32\Apodoq32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:948
                                • C:\Windows\SysWOW64\Adkqoohc.exe
                                  C:\Windows\system32\Adkqoohc.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:2052
                                  • C:\Windows\SysWOW64\Agimkk32.exe
                                    C:\Windows\system32\Agimkk32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:1144
                                    • C:\Windows\SysWOW64\Akdilipp.exe
                                      C:\Windows\system32\Akdilipp.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:4836
                                      • C:\Windows\SysWOW64\Amcehdod.exe
                                        C:\Windows\system32\Amcehdod.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of WriteProcessMemory
                                        PID:5060
                                        • C:\Windows\SysWOW64\Aaoaic32.exe
                                          C:\Windows\system32\Aaoaic32.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:4112
                                          • C:\Windows\SysWOW64\Apaadpng.exe
                                            C:\Windows\system32\Apaadpng.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:3588
                                            • C:\Windows\SysWOW64\Bhhiemoj.exe
                                              C:\Windows\system32\Bhhiemoj.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:4340
                                              • C:\Windows\SysWOW64\Bgkiaj32.exe
                                                C:\Windows\system32\Bgkiaj32.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:1068
                                                • C:\Windows\SysWOW64\Bkgeainn.exe
                                                  C:\Windows\system32\Bkgeainn.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:1528
                                                  • C:\Windows\SysWOW64\Bmeandma.exe
                                                    C:\Windows\system32\Bmeandma.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:4824
                                                    • C:\Windows\SysWOW64\Bpdnjple.exe
                                                      C:\Windows\system32\Bpdnjple.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1108
                                                      • C:\Windows\SysWOW64\Bdojjo32.exe
                                                        C:\Windows\system32\Bdojjo32.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        PID:3224
                                                        • C:\Windows\SysWOW64\Bgnffj32.exe
                                                          C:\Windows\system32\Bgnffj32.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          • System Location Discovery: System Language Discovery
                                                          • Modifies registry class
                                                          PID:3044
                                                          • C:\Windows\SysWOW64\Bkibgh32.exe
                                                            C:\Windows\system32\Bkibgh32.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3016
                                                            • C:\Windows\SysWOW64\Bmhocd32.exe
                                                              C:\Windows\system32\Bmhocd32.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              PID:4404
                                                              • C:\Windows\SysWOW64\Bacjdbch.exe
                                                                C:\Windows\system32\Bacjdbch.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                • Modifies registry class
                                                                PID:3248
                                                                • C:\Windows\SysWOW64\Bpfkpp32.exe
                                                                  C:\Windows\system32\Bpfkpp32.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Modifies registry class
                                                                  PID:2532
                                                                  • C:\Windows\SysWOW64\Bhmbqm32.exe
                                                                    C:\Windows\system32\Bhmbqm32.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Modifies registry class
                                                                    PID:4452
                                                                    • C:\Windows\SysWOW64\Bgpcliao.exe
                                                                      C:\Windows\system32\Bgpcliao.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4396
                                                                      • C:\Windows\SysWOW64\Bogkmgba.exe
                                                                        C:\Windows\system32\Bogkmgba.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2476
                                                                        • C:\Windows\SysWOW64\Bmjkic32.exe
                                                                          C:\Windows\system32\Bmjkic32.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:1992
                                                                          • C:\Windows\SysWOW64\Bphgeo32.exe
                                                                            C:\Windows\system32\Bphgeo32.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Modifies registry class
                                                                            PID:4564
                                                                            • C:\Windows\SysWOW64\Bgbpaipl.exe
                                                                              C:\Windows\system32\Bgbpaipl.exe
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:2416
                                                                              • C:\Windows\SysWOW64\Boihcf32.exe
                                                                                C:\Windows\system32\Boihcf32.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Modifies registry class
                                                                                PID:4236
                                                                                • C:\Windows\SysWOW64\Bahdob32.exe
                                                                                  C:\Windows\system32\Bahdob32.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:4908
                                                                                  • C:\Windows\SysWOW64\Bpkdjofm.exe
                                                                                    C:\Windows\system32\Bpkdjofm.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry class
                                                                                    PID:1284
                                                                                    • C:\Windows\SysWOW64\Bhblllfo.exe
                                                                                      C:\Windows\system32\Bhblllfo.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:1972
                                                                                      • C:\Windows\SysWOW64\Bgelgi32.exe
                                                                                        C:\Windows\system32\Bgelgi32.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:336
                                                                                        • C:\Windows\SysWOW64\Boldhf32.exe
                                                                                          C:\Windows\system32\Boldhf32.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • Modifies registry class
                                                                                          PID:2724
                                                                                          • C:\Windows\SysWOW64\Bajqda32.exe
                                                                                            C:\Windows\system32\Bajqda32.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • Modifies registry class
                                                                                            PID:2536
                                                                                            • C:\Windows\SysWOW64\Cdimqm32.exe
                                                                                              C:\Windows\system32\Cdimqm32.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry class
                                                                                              PID:1592
                                                                                              • C:\Windows\SysWOW64\Chdialdl.exe
                                                                                                C:\Windows\system32\Chdialdl.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:3796
                                                                                                • C:\Windows\SysWOW64\Ckbemgcp.exe
                                                                                                  C:\Windows\system32\Ckbemgcp.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:1072
                                                                                                  • C:\Windows\SysWOW64\Conanfli.exe
                                                                                                    C:\Windows\system32\Conanfli.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • Modifies registry class
                                                                                                    PID:3952
                                                                                                    • C:\Windows\SysWOW64\Cammjakm.exe
                                                                                                      C:\Windows\system32\Cammjakm.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      PID:4016
                                                                                                      • C:\Windows\SysWOW64\Cdkifmjq.exe
                                                                                                        C:\Windows\system32\Cdkifmjq.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Modifies registry class
                                                                                                        PID:632
                                                                                                        • C:\Windows\SysWOW64\Chfegk32.exe
                                                                                                          C:\Windows\system32\Chfegk32.exe
                                                                                                          52⤵
                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • Modifies registry class
                                                                                                          PID:3788
                                                                                                          • C:\Windows\SysWOW64\Ckebcg32.exe
                                                                                                            C:\Windows\system32\Ckebcg32.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Modifies registry class
                                                                                                            PID:4364
                                                                                                            • C:\Windows\SysWOW64\Cncnob32.exe
                                                                                                              C:\Windows\system32\Cncnob32.exe
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • Modifies registry class
                                                                                                              PID:4832
                                                                                                              • C:\Windows\SysWOW64\Caojpaij.exe
                                                                                                                C:\Windows\system32\Caojpaij.exe
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • Modifies registry class
                                                                                                                PID:4512
                                                                                                                • C:\Windows\SysWOW64\Cdmfllhn.exe
                                                                                                                  C:\Windows\system32\Cdmfllhn.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:1692
                                                                                                                  • C:\Windows\SysWOW64\Cglbhhga.exe
                                                                                                                    C:\Windows\system32\Cglbhhga.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:1104
                                                                                                                    • C:\Windows\SysWOW64\Cocjiehd.exe
                                                                                                                      C:\Windows\system32\Cocjiehd.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      • Modifies registry class
                                                                                                                      PID:5148
                                                                                                                      • C:\Windows\SysWOW64\Cnfkdb32.exe
                                                                                                                        C:\Windows\system32\Cnfkdb32.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Modifies registry class
                                                                                                                        PID:5188
                                                                                                                        • C:\Windows\SysWOW64\Cpdgqmnb.exe
                                                                                                                          C:\Windows\system32\Cpdgqmnb.exe
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Modifies registry class
                                                                                                                          PID:5220
                                                                                                                          • C:\Windows\SysWOW64\Chkobkod.exe
                                                                                                                            C:\Windows\system32\Chkobkod.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Modifies registry class
                                                                                                                            PID:5268
                                                                                                                            • C:\Windows\SysWOW64\Cgnomg32.exe
                                                                                                                              C:\Windows\system32\Cgnomg32.exe
                                                                                                                              62⤵
                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:5308
                                                                                                                              • C:\Windows\SysWOW64\Coegoe32.exe
                                                                                                                                C:\Windows\system32\Coegoe32.exe
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies registry class
                                                                                                                                PID:5348
                                                                                                                                • C:\Windows\SysWOW64\Cacckp32.exe
                                                                                                                                  C:\Windows\system32\Cacckp32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Modifies registry class
                                                                                                                                  PID:5388
                                                                                                                                  • C:\Windows\SysWOW64\Cdbpgl32.exe
                                                                                                                                    C:\Windows\system32\Cdbpgl32.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:5428
                                                                                                                                    • C:\Windows\SysWOW64\Cgqlcg32.exe
                                                                                                                                      C:\Windows\system32\Cgqlcg32.exe
                                                                                                                                      66⤵
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      • Modifies registry class
                                                                                                                                      PID:5460
                                                                                                                                      • C:\Windows\SysWOW64\Cklhcfle.exe
                                                                                                                                        C:\Windows\system32\Cklhcfle.exe
                                                                                                                                        67⤵
                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:5508
                                                                                                                                        • C:\Windows\SysWOW64\Cnjdpaki.exe
                                                                                                                                          C:\Windows\system32\Cnjdpaki.exe
                                                                                                                                          68⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:5548
                                                                                                                                          • C:\Windows\SysWOW64\Dafppp32.exe
                                                                                                                                            C:\Windows\system32\Dafppp32.exe
                                                                                                                                            69⤵
                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:5588
                                                                                                                                            • C:\Windows\SysWOW64\Dddllkbf.exe
                                                                                                                                              C:\Windows\system32\Dddllkbf.exe
                                                                                                                                              70⤵
                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • Modifies registry class
                                                                                                                                              PID:5620
                                                                                                                                              • C:\Windows\SysWOW64\Dhphmj32.exe
                                                                                                                                                C:\Windows\system32\Dhphmj32.exe
                                                                                                                                                71⤵
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:5668
                                                                                                                                                • C:\Windows\SysWOW64\Dkndie32.exe
                                                                                                                                                  C:\Windows\system32\Dkndie32.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  PID:5708
                                                                                                                                                  • C:\Windows\SysWOW64\Dojqjdbl.exe
                                                                                                                                                    C:\Windows\system32\Dojqjdbl.exe
                                                                                                                                                    73⤵
                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:5740
                                                                                                                                                    • C:\Windows\SysWOW64\Dahmfpap.exe
                                                                                                                                                      C:\Windows\system32\Dahmfpap.exe
                                                                                                                                                      74⤵
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • Modifies registry class
                                                                                                                                                      PID:5788
                                                                                                                                                      • C:\Windows\SysWOW64\Ddgibkpc.exe
                                                                                                                                                        C:\Windows\system32\Ddgibkpc.exe
                                                                                                                                                        75⤵
                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        PID:5828
                                                                                                                                                        • C:\Windows\SysWOW64\Dhbebj32.exe
                                                                                                                                                          C:\Windows\system32\Dhbebj32.exe
                                                                                                                                                          76⤵
                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:5868
                                                                                                                                                          • C:\Windows\SysWOW64\Dkqaoe32.exe
                                                                                                                                                            C:\Windows\system32\Dkqaoe32.exe
                                                                                                                                                            77⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:5900
                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 400
                                                                                                                                                              78⤵
                                                                                                                                                              • Program crash
                                                                                                                                                              PID:6016
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5900 -ip 5900
    1⤵
      PID:5992

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Aagkhd32.exe

      Filesize

      512KB

      MD5

      97026984e30a2a9812df585cb993baa0

      SHA1

      8f0aea54857dba3f90b19406581cccbff6160881

      SHA256

      c4551ff7feb77a0cf1f9ec37cf498ef20b8def0323b0aafb3b2c00eaa4bfa7f3

      SHA512

      8f8a31b03ea608dda230ffc97ab9233e35594cc249313ea7891d656bb49c1ff8d720487ba26c77c44aea6cb3783f97260f3fa276da64699491430317201c4b9c

    • C:\Windows\SysWOW64\Aajhndkb.exe

      Filesize

      512KB

      MD5

      cd9649397dff0236d22103065db94443

      SHA1

      1b9ad5e6f48478fc2dcdc7f260a979c7d86e3a92

      SHA256

      0cb54b4168650f51bb6e649b67ce5542225124477d7f27d360fe5562c5073ebf

      SHA512

      5ce32761a64b334d1a1930724a7aea60193850eb7e55cbb548c8765715808bd7f3f88020c63557f02e4b452e76087f06c50252195a801df91ee1c2efe5737815

    • C:\Windows\SysWOW64\Aaoaic32.exe

      Filesize

      512KB

      MD5

      d57bc30e2dfd1b1820a7ad4258163ae8

      SHA1

      52341f2443cdf69d1f70291791a179130eaf759a

      SHA256

      93246f49239d64fa9bf830c7fe893f8e2d721211beb2d13870f5d22a04eda339

      SHA512

      16e3b18e6f7433643d7d5be357ca752c7c96b258baf6248b4e54279c34e1b2271e002063cba7599bd6744352a1c787c899c011dc59557e6793d8f701651d6732

    • C:\Windows\SysWOW64\Adfgdpmi.exe

      Filesize

      512KB

      MD5

      df1f1e354d12926fb42ad0c597247ac9

      SHA1

      49b709a99b00e6081a01fc2790333997ccfb0c98

      SHA256

      0786121b37bb9a7fec5041e5c37a5f93c9ffc4a4fb8e68f372da2372558e668b

      SHA512

      234692df9df95a22447492ffe51005498783be9dd9b23c246101ab96085959769811814e6445d577dd18fdb0851b079bdb3fa137931a7b9e333cae09f9aaf88e

    • C:\Windows\SysWOW64\Adkqoohc.exe

      Filesize

      512KB

      MD5

      be97d815073e22f4f36c84acf6ec53ca

      SHA1

      16c681542a1ba8c5ea1918dafc60d2efe128bdf3

      SHA256

      35f5f3e107098c545229f0600d657092ee0a51a329dc861a66b2a1cb63d22abe

      SHA512

      dd06375eee8ff3ef003b16e36e6f8e6179a1499c2e4aec6e93745eddc81ed2c8bc9b7cafe055bc32b7f0da1dcfef7155a70f614c0e76cb873697f99d8e312947

    • C:\Windows\SysWOW64\Afbgkl32.exe

      Filesize

      512KB

      MD5

      6b76a512de1155b5fb83398e227759f8

      SHA1

      03b5602ed35e2d070fdf6023e37b8ec9199db0f2

      SHA256

      0350ac9673ec4b6290fda3e94fc7116c6966a8a7c8fb6cda8a2684e858a71cea

      SHA512

      dbb7dcc943ea21764bc8fc9d150e81b558db181410bd2e7066981e7972918069350fd3100eaaec09bd5825d1a35728e31a7193932880b8999776c648d06f7888

    • C:\Windows\SysWOW64\Aggpfkjj.exe

      Filesize

      512KB

      MD5

      ba0f5d80c02511a7467d2118c749b086

      SHA1

      f9bd451c285f3df2c90f32bb62db3a0c95b4f262

      SHA256

      63aa5e34e4c3a844ef73bb8a81d26f16125775272ca6e1081ba5f356cf025539

      SHA512

      3b4f28394e93dadb1750b6085c9eeccb8846bb3de4069b387c11d982d93c8adcf640968f179f7eed016f31bc530f6e379c7f5cd81b1978ee7122ec75f8c11afb

    • C:\Windows\SysWOW64\Agimkk32.exe

      Filesize

      512KB

      MD5

      3c0a3e45d229ec7f9b1d6e3dbc96067b

      SHA1

      f3dfd8bbd6d68b1fad71483a01ce7e0c12b096aa

      SHA256

      ef8b0227e22710a54e043ba2d734f0c40f4836e42fcc126523d7972a84de99d1

      SHA512

      13f212ff93254d84ca88598f5e4d056d044ec0f30e9a7f412b049fb186830f2379cfda6d0dc2c96bc933fecba04393a7ce9c624b80d220454736d5617bd74b62

    • C:\Windows\SysWOW64\Ahaceo32.exe

      Filesize

      512KB

      MD5

      9e6dde4e45f4e0460d87b0af374d6c72

      SHA1

      d05e6568ed39116bec23420e05607e25ad50c1ae

      SHA256

      2ca3996343962f7ffa3ab8ffc6e8c55de79460455c74d2416460fc1c70ce9edd

      SHA512

      bb997a10cfcee05b15c941cc8244780e3a6ace6ee173434bd7416c3baf855bc100a00e4f54e65b7823e0938bf2767e3724a4031584912ac24b8ec6b06574fbad

    • C:\Windows\SysWOW64\Ahdpjn32.exe

      Filesize

      512KB

      MD5

      9c630332d707ec7f49ad82f5c429a549

      SHA1

      fc52d2f868492016f201fc036bad80842faf9dbd

      SHA256

      4c1b2de4121186e3ad95f2b747bb312bb5037f2d14c4cb771f5e96b8d0b10e5a

      SHA512

      22934e3169e842379e54884a7283cdf894317c92c64d51bd4919f8a44d878d7895e07110b8a3d81677440b27b8bf7cf329f1f6a486dfda7891a3de03d0a58869

    • C:\Windows\SysWOW64\Akdilipp.exe

      Filesize

      512KB

      MD5

      c0902bff12de32ccf0c7045b589fe580

      SHA1

      ac878e917c35551699284b2be355a8f92bc3a776

      SHA256

      cc14d01d62eda4180cb1803143352d79df53e7488061f082bacccf4050f8ad87

      SHA512

      1407fd09ca6d3c21735ebed99fb2710141782b2c9ca26b9c8a8db01907e7a8bdbfe4662590f9bb01d018711e3096c569148b236e5a7915ef199340ea6447edba

    • C:\Windows\SysWOW64\Akpoaj32.exe

      Filesize

      512KB

      MD5

      c7ea41639b8fecc9e99f16f6c71dd215

      SHA1

      5ee65c929ddc299a29b7e4e123689987583b1c18

      SHA256

      286cc24fc4322322fa4ad22648929d293c81832239803e5fd201a120f9c466aa

      SHA512

      8a86070993904b008aa5a67561d8ad966cf0959632710318d24289db3d7789b50872bf84e196d3d2d2288ef8e39ce0ed33f6d00b87e90c0be0be4adcfe2e38d2

    • C:\Windows\SysWOW64\Amcehdod.exe

      Filesize

      512KB

      MD5

      65aefa6363e44645d24ce3178bf0b67c

      SHA1

      e8cbbd1999691e498d1c990d19834c451e6f705e

      SHA256

      788be1256f8b3fc6580cec677713c3f11f3368765f46fc9a54618d562a2bc34f

      SHA512

      b3084f5d65996149e97b57cd0d1d038211a2b1ef2356aeb7a91813b46dc8352f969be3ddb55f07f3b96df7218a2269ee6013a2dab80b32d7cffb8aed53f4a151

    • C:\Windows\SysWOW64\Amlogfel.exe

      Filesize

      512KB

      MD5

      f432aba28886d5f266c0e9a23a7eea0d

      SHA1

      de7a333f1c51dc1d8740d61654755ac8934caf7d

      SHA256

      b2aae3bcafc0a1dfc20c7233d9daed2e43ac1e570c3c4db7ba87b70f3b07dde7

      SHA512

      e85de419bc4ab077d3f628c88e41a025b8401f5ca17ecc4e105ab784828a1a95fb8bbc5f9a2ec11636f366e1656f33ae3507dc3d72527dc7082bf3985c4f8ed9

    • C:\Windows\SysWOW64\Amqhbe32.exe

      Filesize

      512KB

      MD5

      f1e7523bab69a697187e271e0813c225

      SHA1

      d9aee4fc6a9775043f78ea9904ed982e85dccba2

      SHA256

      e4a35b869031d1c1aee660607c9016a2de81b13b69c515aa990d3cda0daaa6bb

      SHA512

      45b68b9ca14ef694c2efd78de210d288e557b730849aa057adf8a6d74b23e2c3a353742eff7c8301e87786834d6cd48544b7d5228ae291f85626b89ad8dab30b

    • C:\Windows\SysWOW64\Aokkahlo.exe

      Filesize

      512KB

      MD5

      55caacd45ce5da35ff2ea92400191e64

      SHA1

      9422f3549d196be159a7ebec301b731079b839f8

      SHA256

      4a38413a7d3cdfe744fd994f9ae2747d632c29d326d54b7da3e5c7f04d401150

      SHA512

      0122aa43afd6936c00447502358bc2af2c3b9a3b5c0c296a0006c8150b2712c689e23d78feac304320b42a93c3be97aae50f027398788146d5ba87e403c941ca

    • C:\Windows\SysWOW64\Aonhghjl.exe

      Filesize

      512KB

      MD5

      d3e0f78b911a1fcd434e7370ec0227a5

      SHA1

      1f753231e7c3196f5838027ac2af7dd636058c21

      SHA256

      a7cd524554ad96829285f240c34007a4cafa59a0113590f1164d53146aec96e5

      SHA512

      6c38accf94b0b0b9d2620a2405173eb78561e3c4c8d7b4b97e1a18fb8d33f8df916c5a1e7b6fa13e4cc46cab20ac53688f99a9f6b9e2a864e19c5128ac661f05

    • C:\Windows\SysWOW64\Apaadpng.exe

      Filesize

      512KB

      MD5

      eb51ae34ad709aeb27b3e6909a7837da

      SHA1

      69164d0eb45121d59c7ddf8027b7c074df1ceb5d

      SHA256

      0e7faee508a457bc94424df2c02df0dad5574d0a90bc4fae383af0ba15fd0f92

      SHA512

      0d1965f32be7c73e80944aec92f34952d6b7663c238ca645d8f1e39231d9566c046f375edd315d39082d973fa90662e6b447ff57b950a9b4073aaf3042e6941f

    • C:\Windows\SysWOW64\Apmhiq32.exe

      Filesize

      512KB

      MD5

      dafe1145b1bfb88cafb0d9cfc28a5124

      SHA1

      eb89f8a9490ebbda77f70830e2a8219b030bb97b

      SHA256

      55242792f5ddbba3b9d22020aef26cd818230bbe65bc7995286bc59422cd6b5e

      SHA512

      4454f052a799b292468ba7a710bd30c86a1e5f609244b3a11f29b043dcbe428a6997d338fbee023c13a1b8e9581e176f40e9b02fefefc433e7c570647673ba0a

    • C:\Windows\SysWOW64\Apodoq32.exe

      Filesize

      512KB

      MD5

      d99ceda56b0ffabfd344a503ef9d2156

      SHA1

      83c8f0d819a30d523efda54ac1f4f88a095a2b47

      SHA256

      64b9183d9cc47559fc81a62136625eef0ffaf45dd876556f17efce578697c371

      SHA512

      19971d987dd04831dc10432f0b0e2d65c64379b7359976e87103a3d3ac936581a74d49a9de9b384f8954f7e3a35a665a0d5bc0f633ad99afebf523c22c09dbf4

    • C:\Windows\SysWOW64\Bacjdbch.exe

      Filesize

      512KB

      MD5

      ce86fdb22f3a19e83d8b80a81aee0e5c

      SHA1

      248ed636f5b292cf2ba67aaaeedb993c0f4ad9eb

      SHA256

      37cef147a4387bd44a4c4868ea1ea8c7e4428b4694dce30c97adc9440005c16b

      SHA512

      035bb151aee7444c59cfaa899748cefef6287ebc7deafad4fb447ff21b6287728aa60cea7e03ba438973076ab225444ec9207bbd69394ffd671ab675a8f029fa

    • C:\Windows\SysWOW64\Bdojjo32.exe

      Filesize

      512KB

      MD5

      ae72967dc5916e5207bc4ba7cbb4b62f

      SHA1

      b8a9b281bea6e096931bf3b201d7670d74dada77

      SHA256

      64d6292497ab3cd2ee71cc547e73fb998e5f0b8c1d83f904a658bce1e09dfa10

      SHA512

      f7fc542796d0da00cbd3e657e33c2e64bbbdb4c633a5a2b7172034590a532953019d83071255a2470fded8ad45967160eb842cfd7445b18f450e97349b2b4dda

    • C:\Windows\SysWOW64\Bgkiaj32.exe

      Filesize

      512KB

      MD5

      1fee88db409afb892255df5c17d94fef

      SHA1

      24f6bcb8a6b7082dfc44a9eb3f6bedd933688a1d

      SHA256

      bb7b1f36dca33759a75668b9047d851139f7b782881659124bfdca9d48026c5d

      SHA512

      d4f7f6ffc6a6e959e8d743bd6a826722fd9c9b3ad9c22b532f92b50cca997a020f80c86c73ff9f84cc8d5b8b0b181a46cc6aefda228aefbac9a4b02c12d20451

    • C:\Windows\SysWOW64\Bgnffj32.exe

      Filesize

      512KB

      MD5

      3a6aa0221c2f40487644aeb0a5142f3b

      SHA1

      c5b07c9913d20c152cd25af88eb7a7eed97a5ea1

      SHA256

      43776d4f77cf34044caf5e14d85514f74b4f90fff2ac6fa83ffe9d48f8141036

      SHA512

      48bd88ffda9c76060645e84618dcb420d042f5b3a53173c0da6812deb61ae4810e1838125fffd1cf046abab0b89facbf50b3b98046e3cb279ecf83c6d314c430

    • C:\Windows\SysWOW64\Bhhiemoj.exe

      Filesize

      512KB

      MD5

      1b328cfc36daba43e0d932c2bfc3e6e1

      SHA1

      8989b5e29672dacdccd20c87add4b37be61805a2

      SHA256

      99b2b009400a2f35492e14fc08de2deaac60f5bc8b6797751d3f7293a38b95b3

      SHA512

      c07475673360fcac612ccdf64497e33e857822d75e366a96141bdf7357966187eece97254ccd464d451c3c4faecb2ea8124c99a7aa36b7083b7282ce4aa3e0dd

    • C:\Windows\SysWOW64\Bhmbqm32.exe

      Filesize

      512KB

      MD5

      ff0e4bef347c9184acaec9612ce9a746

      SHA1

      10a8866da7735c1adc7bc25a2ca762d72fd5489a

      SHA256

      3427845860f94f35c79a96d58329702d3ee8a0d54257a2dac1cc70aba011608e

      SHA512

      83fbf53af8100797fd09535d9d769d4224cde0ad827d46f9469e2519408eb474dcf2aab0ae7de3f5577d29bfd43827bcc70a6a4d3a7cada99c86f3e59cb2c061

    • C:\Windows\SysWOW64\Bkgeainn.exe

      Filesize

      512KB

      MD5

      7a6a1cfbbd8dd33184e28b8aa5a0831f

      SHA1

      29a1328c1eca9f9e25ca4d506b8a905aa04005a1

      SHA256

      b8e2c156c3f23136c73c1317982452b5b0146ed11f061cb6e5c879ffc9405dd0

      SHA512

      aa8a451038cab7dfd4c66c4c0f92040700023592183360e649e489a17f66a50a4a8eb220e57572d2008003b3b95727ef5d9b977278b0b37ab300a35cc76ab8de

    • C:\Windows\SysWOW64\Bkibgh32.exe

      Filesize

      512KB

      MD5

      9d00cc3faadb17e06f64d11ae45704bf

      SHA1

      29977d1d80fe6663348f8636e1d3e6b5e4c26f2d

      SHA256

      b208ecff9dcc78680bfb7c66978d9923ee2ec4dee3bed2bc3303ebff15c23600

      SHA512

      9b5b2b26b7a0f22548998b74fcd70ef3561c3c09b5b19e913ed40c9938c442afef1e23f644c0eb78ae38aa79efa458c293d243de7fe3a38724960bd571d4efc6

    • C:\Windows\SysWOW64\Bmeandma.exe

      Filesize

      512KB

      MD5

      3593d3ea6caa6af9c2e26b24f9f0d746

      SHA1

      272c3e9b0e7f7849235f88db98e2e443ab5939d6

      SHA256

      fb0d46000698e947c1296ade214d249bf8b7d0e15ad724ad4aa06c5094dd7560

      SHA512

      56ef55293a86cc8dc4585531091279d4a79be9185817791dc3f3fd35eb1041af03e09e4393b7cc1353d9dd214e73d4e2ed2437f453ae0f785ce259740655b03b

    • C:\Windows\SysWOW64\Bmhocd32.exe

      Filesize

      512KB

      MD5

      bdc43400983dde766c5479a6395146e1

      SHA1

      44f0f70f83b98812a5b54b9f8d8896ac9df4c9b5

      SHA256

      cb1625c97cf67e37af9a0319e3a46188d0ea77a3708bc43cce70dfbaffd1eae0

      SHA512

      95f45431f44d120900bcd2dbe20fa0baab68f2d5a0f69a491f5a1f528486093db303b77e2769c90d7c7becae7f6b224e48a5cfa061ce4e10558b6324e9902ec3

    • C:\Windows\SysWOW64\Bpdnjple.exe

      Filesize

      512KB

      MD5

      957d82bfac467212ef7123e0e552d9d2

      SHA1

      f0e7cde9a294596cd9587ab59c4d9d9ecacf5bf2

      SHA256

      2d7b173d335069c6c9e39a90168192834e8c139a53f98b4b1f5633dfb5731005

      SHA512

      fd9a8491006ecbe1f7b11577e1fdff993a2357b5d61f32441798516bba9d859ba0bb369dade05519eef9d8fd9e90fb580ccab9e576754f606de9caa475576ad6

    • C:\Windows\SysWOW64\Bpfkpp32.exe

      Filesize

      512KB

      MD5

      4ea4141347b0feba967d4c32efe4e778

      SHA1

      ebf5adc917da24482ac5bc9a3bad408247d726eb

      SHA256

      32075a6299b7ce92a9d8a5c9014c5c71b4374585c6edbb8f48519d2a7673bee1

      SHA512

      bea88a2e7deb944de6c864c5cf916bafe330d6e5d99fed22d616c2d60ada2d3f66b14b218fda6e15b1b98ca53f42e005486d229a0342d09850b91e47c93fe11f

    • memory/216-76-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/336-322-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/632-370-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/948-118-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1068-182-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1072-352-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1084-36-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1104-406-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1108-206-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1144-134-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1284-310-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1528-190-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1592-341-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1632-84-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1632-0-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1664-110-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1692-400-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1908-94-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1928-52-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1972-316-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1992-280-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2052-127-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2380-60-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2416-293-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2476-274-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2532-254-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2536-334-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2604-21-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2724-328-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2788-44-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3016-230-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3044-223-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3092-28-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3224-215-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3248-246-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3440-68-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3588-166-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3612-102-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3788-376-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3796-346-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3952-358-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4016-364-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4112-158-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4164-85-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4236-298-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4340-175-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4364-383-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4372-93-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4372-8-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4396-268-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4404-238-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4452-262-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4512-394-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4564-287-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4824-198-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4832-388-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4836-142-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4908-304-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5060-150-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5148-412-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5188-419-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5220-424-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5268-430-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5308-436-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5348-442-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5388-448-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5428-455-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5460-460-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5508-466-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5548-472-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5588-479-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5620-484-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5668-490-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5708-497-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5740-502-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5788-508-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5828-514-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5868-521-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/5900-522-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB