Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:02

General

  • Target

    6e34c611cd8636f7615833340df6cf8b3ffbbee9de5df0743c954e8f8c1789b3N.exe

  • Size

    64KB

  • MD5

    4708188900cb120dd6e28e4aae9ea910

  • SHA1

    7167bcd5b0931fdfe695fb0d2b9e86983864cf68

  • SHA256

    6e34c611cd8636f7615833340df6cf8b3ffbbee9de5df0743c954e8f8c1789b3

  • SHA512

    35139b8460b661a81defeeaf754f650d967fa0d485b48e5840ce806ef3183323b011a88aa6a4831775495a38375358ede08e040f97d019dd52586b538320c58c

  • SSDEEP

    1536:GCuQvo3M5kXuJ+7cz6q60Ukv+yKb63mXUwXfzwv:GCu2xkYz6q60b+yKb6CPzwv

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e34c611cd8636f7615833340df6cf8b3ffbbee9de5df0743c954e8f8c1789b3N.exe
    "C:\Users\Admin\AppData\Local\Temp\6e34c611cd8636f7615833340df6cf8b3ffbbee9de5df0743c954e8f8c1789b3N.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Windows\SysWOW64\Mpoefk32.exe
      C:\Windows\system32\Mpoefk32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Windows\SysWOW64\Melnob32.exe
        C:\Windows\system32\Melnob32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\SysWOW64\Mpablkhc.exe
          C:\Windows\system32\Mpablkhc.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2368
          • C:\Windows\SysWOW64\Menjdbgj.exe
            C:\Windows\system32\Menjdbgj.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1124
            • C:\Windows\SysWOW64\Mnebeogl.exe
              C:\Windows\system32\Mnebeogl.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4292
              • C:\Windows\SysWOW64\Ncbknfed.exe
                C:\Windows\system32\Ncbknfed.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:4308
                • C:\Windows\SysWOW64\Nepgjaeg.exe
                  C:\Windows\system32\Nepgjaeg.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:864
                  • C:\Windows\SysWOW64\Nljofl32.exe
                    C:\Windows\system32\Nljofl32.exe
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1636
                    • C:\Windows\SysWOW64\Ncdgcf32.exe
                      C:\Windows\system32\Ncdgcf32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3540
                      • C:\Windows\SysWOW64\Njnpppkn.exe
                        C:\Windows\system32\Njnpppkn.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1952
                        • C:\Windows\SysWOW64\Nphhmj32.exe
                          C:\Windows\system32\Nphhmj32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:3324
                          • C:\Windows\SysWOW64\Neeqea32.exe
                            C:\Windows\system32\Neeqea32.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2732
                            • C:\Windows\SysWOW64\Nnlhfn32.exe
                              C:\Windows\system32\Nnlhfn32.exe
                              14⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:5100
                              • C:\Windows\SysWOW64\Ndfqbhia.exe
                                C:\Windows\system32\Ndfqbhia.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:5044
                                • C:\Windows\SysWOW64\Nfgmjqop.exe
                                  C:\Windows\system32\Nfgmjqop.exe
                                  16⤵
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:1300
                                  • C:\Windows\SysWOW64\Nlaegk32.exe
                                    C:\Windows\system32\Nlaegk32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:1816
                                    • C:\Windows\SysWOW64\Ndhmhh32.exe
                                      C:\Windows\system32\Ndhmhh32.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:1060
                                      • C:\Windows\SysWOW64\Nggjdc32.exe
                                        C:\Windows\system32\Nggjdc32.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:2488
                                        • C:\Windows\SysWOW64\Njefqo32.exe
                                          C:\Windows\system32\Njefqo32.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:3024
                                          • C:\Windows\SysWOW64\Olcbmj32.exe
                                            C:\Windows\system32\Olcbmj32.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:2340
                                            • C:\Windows\SysWOW64\Ogifjcdp.exe
                                              C:\Windows\system32\Ogifjcdp.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • Suspicious use of WriteProcessMemory
                                              PID:3436
                                              • C:\Windows\SysWOW64\Oflgep32.exe
                                                C:\Windows\system32\Oflgep32.exe
                                                23⤵
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:2464
                                                • C:\Windows\SysWOW64\Oncofm32.exe
                                                  C:\Windows\system32\Oncofm32.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4600
                                                  • C:\Windows\SysWOW64\Olfobjbg.exe
                                                    C:\Windows\system32\Olfobjbg.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • Modifies registry class
                                                    PID:3244
                                                    • C:\Windows\SysWOW64\Ocpgod32.exe
                                                      C:\Windows\system32\Ocpgod32.exe
                                                      26⤵
                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      PID:4780
                                                      • C:\Windows\SysWOW64\Ojjolnaq.exe
                                                        C:\Windows\system32\Ojjolnaq.exe
                                                        27⤵
                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2280
                                                        • C:\Windows\SysWOW64\Odocigqg.exe
                                                          C:\Windows\system32\Odocigqg.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3328
                                                          • C:\Windows\SysWOW64\Ognpebpj.exe
                                                            C:\Windows\system32\Ognpebpj.exe
                                                            29⤵
                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies registry class
                                                            PID:4200
                                                            • C:\Windows\SysWOW64\Olkhmi32.exe
                                                              C:\Windows\system32\Olkhmi32.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2312
                                                              • C:\Windows\SysWOW64\Ogpmjb32.exe
                                                                C:\Windows\system32\Ogpmjb32.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                PID:980
                                                                • C:\Windows\SysWOW64\Onjegled.exe
                                                                  C:\Windows\system32\Onjegled.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:5064
                                                                  • C:\Windows\SysWOW64\Oqhacgdh.exe
                                                                    C:\Windows\system32\Oqhacgdh.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    PID:3616
                                                                    • C:\Windows\SysWOW64\Ogbipa32.exe
                                                                      C:\Windows\system32\Ogbipa32.exe
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:2564
                                                                      • C:\Windows\SysWOW64\Pmoahijl.exe
                                                                        C:\Windows\system32\Pmoahijl.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • Modifies registry class
                                                                        PID:2380
                                                                        • C:\Windows\SysWOW64\Pgefeajb.exe
                                                                          C:\Windows\system32\Pgefeajb.exe
                                                                          36⤵
                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          PID:4000
                                                                          • C:\Windows\SysWOW64\Pjcbbmif.exe
                                                                            C:\Windows\system32\Pjcbbmif.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Modifies registry class
                                                                            PID:2220
                                                                            • C:\Windows\SysWOW64\Pmannhhj.exe
                                                                              C:\Windows\system32\Pmannhhj.exe
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              PID:4476
                                                                              • C:\Windows\SysWOW64\Pclgkb32.exe
                                                                                C:\Windows\system32\Pclgkb32.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Modifies registry class
                                                                                PID:4760
                                                                                • C:\Windows\SysWOW64\Pjeoglgc.exe
                                                                                  C:\Windows\system32\Pjeoglgc.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:4920
                                                                                  • C:\Windows\SysWOW64\Pmdkch32.exe
                                                                                    C:\Windows\system32\Pmdkch32.exe
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry class
                                                                                    PID:2748
                                                                                    • C:\Windows\SysWOW64\Pqpgdfnp.exe
                                                                                      C:\Windows\system32\Pqpgdfnp.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:1448
                                                                                      • C:\Windows\SysWOW64\Pgioqq32.exe
                                                                                        C:\Windows\system32\Pgioqq32.exe
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Modifies registry class
                                                                                        PID:2036
                                                                                        • C:\Windows\SysWOW64\Pjhlml32.exe
                                                                                          C:\Windows\system32\Pjhlml32.exe
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry class
                                                                                          PID:4288
                                                                                          • C:\Windows\SysWOW64\Pmfhig32.exe
                                                                                            C:\Windows\system32\Pmfhig32.exe
                                                                                            45⤵
                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:1744
                                                                                            • C:\Windows\SysWOW64\Pgllfp32.exe
                                                                                              C:\Windows\system32\Pgllfp32.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry class
                                                                                              PID:2740
                                                                                              • C:\Windows\SysWOW64\Pnfdcjkg.exe
                                                                                                C:\Windows\system32\Pnfdcjkg.exe
                                                                                                47⤵
                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                PID:1536
                                                                                                • C:\Windows\SysWOW64\Pqdqof32.exe
                                                                                                  C:\Windows\system32\Pqdqof32.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:388
                                                                                                  • C:\Windows\SysWOW64\Pgnilpah.exe
                                                                                                    C:\Windows\system32\Pgnilpah.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:2560
                                                                                                    • C:\Windows\SysWOW64\Pjmehkqk.exe
                                                                                                      C:\Windows\system32\Pjmehkqk.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:2844
                                                                                                      • C:\Windows\SysWOW64\Qdbiedpa.exe
                                                                                                        C:\Windows\system32\Qdbiedpa.exe
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:3884
                                                                                                        • C:\Windows\SysWOW64\Qceiaa32.exe
                                                                                                          C:\Windows\system32\Qceiaa32.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:3556
                                                                                                          • C:\Windows\SysWOW64\Qnjnnj32.exe
                                                                                                            C:\Windows\system32\Qnjnnj32.exe
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Modifies registry class
                                                                                                            PID:3768
                                                                                                            • C:\Windows\SysWOW64\Qqijje32.exe
                                                                                                              C:\Windows\system32\Qqijje32.exe
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:5108
                                                                                                              • C:\Windows\SysWOW64\Qgcbgo32.exe
                                                                                                                C:\Windows\system32\Qgcbgo32.exe
                                                                                                                55⤵
                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                • Executes dropped EXE
                                                                                                                PID:1968
                                                                                                                • C:\Windows\SysWOW64\Anmjcieo.exe
                                                                                                                  C:\Windows\system32\Anmjcieo.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Modifies registry class
                                                                                                                  PID:4136
                                                                                                                  • C:\Windows\SysWOW64\Adgbpc32.exe
                                                                                                                    C:\Windows\system32\Adgbpc32.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:1684
                                                                                                                    • C:\Windows\SysWOW64\Afhohlbj.exe
                                                                                                                      C:\Windows\system32\Afhohlbj.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      PID:1780
                                                                                                                      • C:\Windows\SysWOW64\Anogiicl.exe
                                                                                                                        C:\Windows\system32\Anogiicl.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:4852
                                                                                                                        • C:\Windows\SysWOW64\Aqncedbp.exe
                                                                                                                          C:\Windows\system32\Aqncedbp.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Modifies registry class
                                                                                                                          PID:2920
                                                                                                                          • C:\Windows\SysWOW64\Agglboim.exe
                                                                                                                            C:\Windows\system32\Agglboim.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            PID:1960
                                                                                                                            • C:\Windows\SysWOW64\Ajfhnjhq.exe
                                                                                                                              C:\Windows\system32\Ajfhnjhq.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              PID:3368
                                                                                                                              • C:\Windows\SysWOW64\Aqppkd32.exe
                                                                                                                                C:\Windows\system32\Aqppkd32.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                PID:5084
                                                                                                                                • C:\Windows\SysWOW64\Acnlgp32.exe
                                                                                                                                  C:\Windows\system32\Acnlgp32.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • Modifies registry class
                                                                                                                                  PID:4980
                                                                                                                                  • C:\Windows\SysWOW64\Ajhddjfn.exe
                                                                                                                                    C:\Windows\system32\Ajhddjfn.exe
                                                                                                                                    65⤵
                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:1524
                                                                                                                                    • C:\Windows\SysWOW64\Amgapeea.exe
                                                                                                                                      C:\Windows\system32\Amgapeea.exe
                                                                                                                                      66⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      • Modifies registry class
                                                                                                                                      PID:3992
                                                                                                                                      • C:\Windows\SysWOW64\Acqimo32.exe
                                                                                                                                        C:\Windows\system32\Acqimo32.exe
                                                                                                                                        67⤵
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        PID:3312
                                                                                                                                        • C:\Windows\SysWOW64\Afoeiklb.exe
                                                                                                                                          C:\Windows\system32\Afoeiklb.exe
                                                                                                                                          68⤵
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          PID:4380
                                                                                                                                          • C:\Windows\SysWOW64\Aminee32.exe
                                                                                                                                            C:\Windows\system32\Aminee32.exe
                                                                                                                                            69⤵
                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:1420
                                                                                                                                            • C:\Windows\SysWOW64\Aadifclh.exe
                                                                                                                                              C:\Windows\system32\Aadifclh.exe
                                                                                                                                              70⤵
                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:812
                                                                                                                                              • C:\Windows\SysWOW64\Accfbokl.exe
                                                                                                                                                C:\Windows\system32\Accfbokl.exe
                                                                                                                                                71⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:2136
                                                                                                                                                • C:\Windows\SysWOW64\Bjmnoi32.exe
                                                                                                                                                  C:\Windows\system32\Bjmnoi32.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:4488
                                                                                                                                                  • C:\Windows\SysWOW64\Bmkjkd32.exe
                                                                                                                                                    C:\Windows\system32\Bmkjkd32.exe
                                                                                                                                                    73⤵
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    PID:4716
                                                                                                                                                    • C:\Windows\SysWOW64\Bebblb32.exe
                                                                                                                                                      C:\Windows\system32\Bebblb32.exe
                                                                                                                                                      74⤵
                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • Modifies registry class
                                                                                                                                                      PID:2812
                                                                                                                                                      • C:\Windows\SysWOW64\Bganhm32.exe
                                                                                                                                                        C:\Windows\system32\Bganhm32.exe
                                                                                                                                                        75⤵
                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        PID:3552
                                                                                                                                                        • C:\Windows\SysWOW64\Bfdodjhm.exe
                                                                                                                                                          C:\Windows\system32\Bfdodjhm.exe
                                                                                                                                                          76⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:2972
                                                                                                                                                          • C:\Windows\SysWOW64\Bnkgeg32.exe
                                                                                                                                                            C:\Windows\system32\Bnkgeg32.exe
                                                                                                                                                            77⤵
                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            • Modifies registry class
                                                                                                                                                            PID:1756
                                                                                                                                                            • C:\Windows\SysWOW64\Beeoaapl.exe
                                                                                                                                                              C:\Windows\system32\Beeoaapl.exe
                                                                                                                                                              78⤵
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:3292
                                                                                                                                                              • C:\Windows\SysWOW64\Bffkij32.exe
                                                                                                                                                                C:\Windows\system32\Bffkij32.exe
                                                                                                                                                                79⤵
                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                • Modifies registry class
                                                                                                                                                                PID:668
                                                                                                                                                                • C:\Windows\SysWOW64\Bmpcfdmg.exe
                                                                                                                                                                  C:\Windows\system32\Bmpcfdmg.exe
                                                                                                                                                                  80⤵
                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                  PID:1032
                                                                                                                                                                  • C:\Windows\SysWOW64\Bgehcmmm.exe
                                                                                                                                                                    C:\Windows\system32\Bgehcmmm.exe
                                                                                                                                                                    81⤵
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    PID:2436
                                                                                                                                                                    • C:\Windows\SysWOW64\Bjddphlq.exe
                                                                                                                                                                      C:\Windows\system32\Bjddphlq.exe
                                                                                                                                                                      82⤵
                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                      PID:3840
                                                                                                                                                                      • C:\Windows\SysWOW64\Banllbdn.exe
                                                                                                                                                                        C:\Windows\system32\Banllbdn.exe
                                                                                                                                                                        83⤵
                                                                                                                                                                          PID:5204
                                                                                                                                                                          • C:\Windows\SysWOW64\Bhhdil32.exe
                                                                                                                                                                            C:\Windows\system32\Bhhdil32.exe
                                                                                                                                                                            84⤵
                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                            PID:5284
                                                                                                                                                                            • C:\Windows\SysWOW64\Bapiabak.exe
                                                                                                                                                                              C:\Windows\system32\Bapiabak.exe
                                                                                                                                                                              85⤵
                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                              PID:5332
                                                                                                                                                                              • C:\Windows\SysWOW64\Cfmajipb.exe
                                                                                                                                                                                C:\Windows\system32\Cfmajipb.exe
                                                                                                                                                                                86⤵
                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                PID:5384
                                                                                                                                                                                • C:\Windows\SysWOW64\Cmgjgcgo.exe
                                                                                                                                                                                  C:\Windows\system32\Cmgjgcgo.exe
                                                                                                                                                                                  87⤵
                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                  PID:5440
                                                                                                                                                                                  • C:\Windows\SysWOW64\Cjkjpgfi.exe
                                                                                                                                                                                    C:\Windows\system32\Cjkjpgfi.exe
                                                                                                                                                                                    88⤵
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    PID:5484
                                                                                                                                                                                    • C:\Windows\SysWOW64\Ceqnmpfo.exe
                                                                                                                                                                                      C:\Windows\system32\Ceqnmpfo.exe
                                                                                                                                                                                      89⤵
                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      PID:5532
                                                                                                                                                                                      • C:\Windows\SysWOW64\Cnicfe32.exe
                                                                                                                                                                                        C:\Windows\system32\Cnicfe32.exe
                                                                                                                                                                                        90⤵
                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                        PID:5576
                                                                                                                                                                                        • C:\Windows\SysWOW64\Ceckcp32.exe
                                                                                                                                                                                          C:\Windows\system32\Ceckcp32.exe
                                                                                                                                                                                          91⤵
                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                          PID:5620
                                                                                                                                                                                          • C:\Windows\SysWOW64\Cnkplejl.exe
                                                                                                                                                                                            C:\Windows\system32\Cnkplejl.exe
                                                                                                                                                                                            92⤵
                                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            PID:5664
                                                                                                                                                                                            • C:\Windows\SysWOW64\Cnnlaehj.exe
                                                                                                                                                                                              C:\Windows\system32\Cnnlaehj.exe
                                                                                                                                                                                              93⤵
                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                              PID:5708
                                                                                                                                                                                              • C:\Windows\SysWOW64\Ddjejl32.exe
                                                                                                                                                                                                C:\Windows\system32\Ddjejl32.exe
                                                                                                                                                                                                94⤵
                                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:5752
                                                                                                                                                                                                • C:\Windows\SysWOW64\Dopigd32.exe
                                                                                                                                                                                                  C:\Windows\system32\Dopigd32.exe
                                                                                                                                                                                                  95⤵
                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  PID:5796
                                                                                                                                                                                                  • C:\Windows\SysWOW64\Danecp32.exe
                                                                                                                                                                                                    C:\Windows\system32\Danecp32.exe
                                                                                                                                                                                                    96⤵
                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                    PID:5840
                                                                                                                                                                                                    • C:\Windows\SysWOW64\Djgjlelk.exe
                                                                                                                                                                                                      C:\Windows\system32\Djgjlelk.exe
                                                                                                                                                                                                      97⤵
                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                      PID:5884
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Daqbip32.exe
                                                                                                                                                                                                        C:\Windows\system32\Daqbip32.exe
                                                                                                                                                                                                        98⤵
                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                        PID:5924
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Daconoae.exe
                                                                                                                                                                                                          C:\Windows\system32\Daconoae.exe
                                                                                                                                                                                                          99⤵
                                                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:5968
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Dfpgffpm.exe
                                                                                                                                                                                                            C:\Windows\system32\Dfpgffpm.exe
                                                                                                                                                                                                            100⤵
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                            PID:6012
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Dkkcge32.exe
                                                                                                                                                                                                              C:\Windows\system32\Dkkcge32.exe
                                                                                                                                                                                                              101⤵
                                                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                              PID:6052
                                                                                                                                                                                                              • C:\Windows\SysWOW64\Dmjocp32.exe
                                                                                                                                                                                                                C:\Windows\system32\Dmjocp32.exe
                                                                                                                                                                                                                102⤵
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                PID:6096
                                                                                                                                                                                                                • C:\Windows\SysWOW64\Deagdn32.exe
                                                                                                                                                                                                                  C:\Windows\system32\Deagdn32.exe
                                                                                                                                                                                                                  103⤵
                                                                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                  PID:6136
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Dddhpjof.exe
                                                                                                                                                                                                                    C:\Windows\system32\Dddhpjof.exe
                                                                                                                                                                                                                    104⤵
                                                                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                    PID:5176
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Dknpmdfc.exe
                                                                                                                                                                                                                      C:\Windows\system32\Dknpmdfc.exe
                                                                                                                                                                                                                      105⤵
                                                                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      PID:5268
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                                                                        C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                                                                        106⤵
                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                        PID:5376
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 396
                                                                                                                                                                                                                          107⤵
                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                          PID:5504
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5376 -ip 5376
      1⤵
        PID:5468

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\Ceqnmpfo.exe

        Filesize

        64KB

        MD5

        2fd31eaeaeae4fec45866c106f7b2cf1

        SHA1

        f4e6b26e483d157d5eaa3d71396d0dad66adddaa

        SHA256

        a99130125d1b392209c2491a91ef3d3248e7d64f6b467f3631d9acc79d079311

        SHA512

        2dc6d907ed52f97286c72bfb87bb179b2292c2b3669c3f9c59f62c6544a798121bca7d989d8c33ea9ed2c07059293e6d9577d5df4a1b97c6e8ea999c4666f6db

      • C:\Windows\SysWOW64\Cnkplejl.exe

        Filesize

        64KB

        MD5

        0e6251c6795d63acbfca0de4cd5fad87

        SHA1

        d908aa1099ef58cc536e1cea9af9284fdc7293a9

        SHA256

        d96938377f6add5678b5f0273b5564dabaa2d8daf8ef996d860fd53633726c8b

        SHA512

        f9ad4d6315bb676425c7d6310ab87612a3f9ca68cdea717f9a77773b4b4a2a10b734709b0d951a350976e6877a438433404386724e3ac8b56300f52c48b05e7d

      • C:\Windows\SysWOW64\Ddjejl32.exe

        Filesize

        64KB

        MD5

        519a6b7ebebca8fc18dbd5ccaef8a7e1

        SHA1

        80714e2e4f19ea1da161930f8669aaa366c8bc20

        SHA256

        f0e10760bd0c8cd80f1d3840611214411adc1f41a88976aaee4999d2f6078f22

        SHA512

        36520a6f8e02a36f0cc1f3534e75cbfce7197cca0c660b61b9a3b45d9e841c042a10bb3d50c7aeecd9eb858a238c43505b938f099b26389b1aa79805bad7f704

      • C:\Windows\SysWOW64\Melnob32.exe

        Filesize

        64KB

        MD5

        064b669eeac0db3825d5715b3526170f

        SHA1

        800786175c795e46439d3d7f9d26e8a774702be5

        SHA256

        fe153fc650f1c7720552fedad085f1f76cfd1333ed8225cfc370380d393e83b5

        SHA512

        c5d73241706487595d3e2b5ddd82e2bfb1ae13ad7ddda89244467202934708ee098abde20e6816e7e89ac3b04ec5b4cb9b771e6dfcddd99675bda33786d2452c

      • C:\Windows\SysWOW64\Menjdbgj.exe

        Filesize

        64KB

        MD5

        b5b17b279c66cbdc5ae529fa1a60e47b

        SHA1

        ad3199c3f04dc60430b014faea54c605e8626973

        SHA256

        4eccad8db272ae0bfb477ab5323e5206258997e70235d67f330ed18cf912630f

        SHA512

        72e5dec4a9aebc3f1bb4f459b561fb605769268bc5b78613d6c31018add1fa04acafd79a67ba787c3817703ecff9027ae18fda00519c728ddd049258551ab331

      • C:\Windows\SysWOW64\Mnebeogl.exe

        Filesize

        64KB

        MD5

        f2a352c29ecca7ebde0f2add49c662df

        SHA1

        42bd6a9b5c46004ce2335c746e576bba83417746

        SHA256

        51f5e47edb5f8a52ca221c6b898eb4a02abee88aba83dc9266aa0af4498f6543

        SHA512

        b860de85e468b7323ce9ac28b81afba0b2aff4688b88eb392ac52849430cffe7818d3bb8d051b43522c47839ac955ff8fd1b45deeb9fa268605bec2ff03e1e35

      • C:\Windows\SysWOW64\Mpablkhc.exe

        Filesize

        64KB

        MD5

        cd18ae5af37f5b237d3b54d79646ae6b

        SHA1

        914ef65e75ad52a4e3051f6ccb649c41bc8747c5

        SHA256

        fa0dc297494e513b841c0766e99ba01530bf79bbc6c6aee906d881abbc3a27af

        SHA512

        d2d72fc6001587774e8694b33207e611a5da0904aaff9e190461cf8eb2f066e01746149377ecc7476c6b195f334a0706ad1dc9e9447bb1f92a8895572ed4741d

      • C:\Windows\SysWOW64\Mpoefk32.exe

        Filesize

        64KB

        MD5

        fe8e607af963be49a4055872aff8de84

        SHA1

        aca6eacebb040a2ce415668ca5ec5da3db5ac72f

        SHA256

        acebe9036081dd5eeb7cb86d56a4d0218dd42f373c76747051ccd9f4414021f3

        SHA512

        971ffb362f9ed0c5ce5de3849e3adb974663d821024aba62632a86726c9664229ac6e63000d2d82e6dd417151b41f8cb3d5517c5cc23c47325fd7df920d61f95

      • C:\Windows\SysWOW64\Ncbknfed.exe

        Filesize

        64KB

        MD5

        be5a57207c38565b934cbccd18ac85c6

        SHA1

        b43c3ec3e06afc8f2d14cdfef30b1eb4305a7b35

        SHA256

        7f3872671c52741cbbd5a00eda8e46528b231e17d3edbe931f337198d1962676

        SHA512

        f8ba205a66413e5cba3a5564f096a3eac8962c6c973423df0593e235a8d89ec9260d91d2933658172fa46c2020314234f87032995b8b018048a524187a0fe3e5

      • C:\Windows\SysWOW64\Ncdgcf32.exe

        Filesize

        64KB

        MD5

        29b8df05aabc2bdbad4aa435f917acc9

        SHA1

        9f6c362e37b58f9abc041305b3c37fdab256b1ee

        SHA256

        b45bb8a0cf73d297085f18ab5616675565b85ce81dca4e24e3cad2f6d86f2d77

        SHA512

        706c50b7dd8060f7572c8ba042a62ac819cd1625b18106cec002a7565909783c0fea88276a1625b87c5d15491db152b5ed991272d5382a82b3627c2a4b8800fe

      • C:\Windows\SysWOW64\Ndfqbhia.exe

        Filesize

        64KB

        MD5

        ed5eead2e4ff635e2acbc0820ea24af0

        SHA1

        180814fe80e89a3205232880ae8437861bf9d109

        SHA256

        de4d4fa31e4b2c64ced708a5f3d57fc39d94022a7c40a4feb192aba538121ed5

        SHA512

        41a1904ff3c577ac3899e003680a8ca9181bda5abce0072b450d01ebf710530cdd3e708bc8ccda70af4c000c61e52b956e96c9f1e05e6c632fe0e6ce0f280e67

      • C:\Windows\SysWOW64\Ndhmhh32.exe

        Filesize

        64KB

        MD5

        5a2dfffd8c70bce77adad8f84854f54e

        SHA1

        e1645eb7ef72f4279c989abbe6dbf50b55d6bb5b

        SHA256

        29b0deb4ff08c3f01b88e63d2d3fdc07178be2cf13660e1aec4841922214ea64

        SHA512

        cc48284dad99ddb6deb5e938a6568b73d364199df6b0925e5b6afe95b78600704243067f2250b4b506fbae6d86192776e83c1e3ce34384b3ccba4595f5fb8951

      • C:\Windows\SysWOW64\Neeqea32.exe

        Filesize

        64KB

        MD5

        3c8767602c126566a67635d278b84bde

        SHA1

        b227eb69a01700bc707124bd4332b85fb8399551

        SHA256

        9b9d72c5281c6515f03b2150bd700a0f83429a0e66ae56751a111da4eac7f434

        SHA512

        5c4fcf2c9bae0768cf1da6176c7037a3cc0ed8a025729e63bcb027c5df0b958c5a5388caf8ceb413b968c15b715462860a7a52c123932c51d66ee09d80d66c30

      • C:\Windows\SysWOW64\Nepgjaeg.exe

        Filesize

        64KB

        MD5

        d0556569455098aaea2b0da25c015b8b

        SHA1

        f6eca5477d5b70baf62faf2d98f6f62bca6f0859

        SHA256

        e057e2a0520ab2105f3b39884d0e59a1e381e0d91325331652c18de4ad29ef91

        SHA512

        8b0342231642646941fc954fad9e8c790e54334b96c521986bae056107d4638648d3525e1d3cb82ef508c46067460e4c312d56406d3f3146ce6f50d3b2fecc4c

      • C:\Windows\SysWOW64\Nfgmjqop.exe

        Filesize

        64KB

        MD5

        49893b559909884bb65a164cbcec4c33

        SHA1

        78618887b46720a7f5ae30860dc5b7d5b48bdd54

        SHA256

        8780bf14d9d8ee187bd2411a98195510b80283e0978fa0dc1558b4a1654fcd6a

        SHA512

        a69db54b2464c4f3b4227dbb6cb11cffa19ef2082cde5cec95c0471e408457ed3999c2bfe819d1d310e7b23126c067b39936c847c72febc345d3a15d6889caac

      • C:\Windows\SysWOW64\Nggjdc32.exe

        Filesize

        64KB

        MD5

        a65b63caf7aab1aa151303a9b260b41e

        SHA1

        7d91178ace12c3d473f28039bac43ce82fd4052c

        SHA256

        c9f3972144e5e6251d42908fd4bc6712d1829e79dd38602c215d74a75c182a7c

        SHA512

        3815db8c452534a33cae467d824d6c6d9f36bdb0098ccd3efc5e67848a429d58f870d2c5de2148e197a31610d1f586123869f721f8551bddfa51c5811a71f9a4

      • C:\Windows\SysWOW64\Njefqo32.exe

        Filesize

        64KB

        MD5

        dd5c742e054afa04f721012793461428

        SHA1

        c63a9b9087cd2dd64a4afa2649471c3782fcc131

        SHA256

        2d2ae6fc156cfc1b8e1a62c23c1b92ff7b24e79a37ebe6c2829382c869620b19

        SHA512

        145361d802ec57ce54b36ae2aaf39e9fce31b90120eb7d0268f617f7516960f9493f305da294783315ab1b2ffaba32f968f4616b0741aa788bfff7b2bb949ada

      • C:\Windows\SysWOW64\Njnpppkn.exe

        Filesize

        64KB

        MD5

        c0f4bf175b74f0e407ecc46c40030cc7

        SHA1

        195ad84b0ab5b1e467fbc581f7978be64169949a

        SHA256

        0a8bf46a5b5f01c8f859e2f6e15e06d9b63e168cabbe1a17272766b13eace094

        SHA512

        fcd25f9a9a8f82fda6fea164bb3968cc95696bdf3e282970ba58cdf6a5dc0ffed350cc42753ce73e52977098c921912d92dacc38abe59046472532fc9bffdeeb

      • C:\Windows\SysWOW64\Nlaegk32.exe

        Filesize

        64KB

        MD5

        9d88469a7b02e83c34d0ca4d0ee37387

        SHA1

        2d4d3ac9e357c6c18833b841916aa5a806b557d1

        SHA256

        6037c20bb96aa306a906457f517d64659809d3680756effec2e2ee158833776a

        SHA512

        565182228662eb2c7a5a2aa76b9bf86b07b5f41bcd8cd6dccd4d26793bb60ad8d067de6fc707a32be95afc38a0c8e50d26210436b3670b8f8e3d070621b8ded3

      • C:\Windows\SysWOW64\Nljofl32.exe

        Filesize

        64KB

        MD5

        0ccadccccbc86156c8c4c4282488abfe

        SHA1

        29e0962d140d1c3ca2d39f4557b9a162178773b6

        SHA256

        1325c306d2a6a3155160d4f870f736f559634a4db2eaae345487a13f121e4e6e

        SHA512

        d62db5b1994ca6f43be7ff288aa170e51ac1616b4560bf8baf218873e3a4b692b29f218a49d4d704252ab06f0cc0f85f029a51dbedad36ef08bf82b0341a2d6d

      • C:\Windows\SysWOW64\Nnlhfn32.exe

        Filesize

        64KB

        MD5

        ed7befc63da9bce0324df96c75cc02c8

        SHA1

        f6d67e800ebd321faef72445a85de5bf8abe8459

        SHA256

        04109b1ca07c1054c29f812510dedddc4732a96431ae68977ec09c5cb3d781b7

        SHA512

        11aa2dfe6e50f89fa5cc0c9c7b555854d7e38a47a4bd92f3c85f7420d403a98d0197a6dda78152815080f75b529f6c75ff7d3a0b37a3ef5382bd74aff6d45eea

      • C:\Windows\SysWOW64\Nphhmj32.exe

        Filesize

        64KB

        MD5

        cfa8669393974aea1a627e17a224dd21

        SHA1

        16060d5a7767e748cb0078a18c0cdf90e466ccaf

        SHA256

        f3e85783d2801af62724ffe0009d9fb9d2816557b386a067b2a87b1a6bec568b

        SHA512

        0acd8a1ba310d753d95867eb39e90299e95b80249fa938be3dcc971f2d866a1e4a6b54a01afde924ddec6558457190b146195883deefb06098b3ca368f319bdf

      • C:\Windows\SysWOW64\Ocpgod32.exe

        Filesize

        64KB

        MD5

        6f20f034d084fbc83c2de50a8ffd165e

        SHA1

        e600d1d90712d04d2759af1a6f7a5ec1ac29fe7e

        SHA256

        582bb5977c2a8c351741a6a21b98b57d78155c8c92bac3a15d65e7531c92abfd

        SHA512

        0cadc8167c328a660b05bb5654f68773f6f34bd33177e6b807b306b473c68e0e7f6d3cb28cb27f2c221f73dc692018d9d05bb26dbe6b0a056fc8412fe538e818

      • C:\Windows\SysWOW64\Odocigqg.exe

        Filesize

        64KB

        MD5

        873bd69d8f6500fd5081e340a705aa9b

        SHA1

        273c032f619a291189fff330835f04ea95f967b8

        SHA256

        b76267a94c57d47f77df1f4737c56d9c6f738915ea2143195a0a01f31bdc3a24

        SHA512

        19a24af8cf40faeb0d0f27ce473161f6a23b19e2c7ca703c0b610af4a195fd341165f239b669e4a760cad61ba409d4df54b21f93f2ffa71c08b153b23ea29b8f

      • C:\Windows\SysWOW64\Oflgep32.exe

        Filesize

        64KB

        MD5

        9b65909c7185c37206da0493ad5e31eb

        SHA1

        455c1d007176ce182779b8427fce77dfdd69dfa6

        SHA256

        26cca68b4b55de9ff7c19f36ffea84868aa1d2a0e992b3fd2fc59f9478ae40e4

        SHA512

        fc6388ed5d3b060417f211a1f7f588649bd3582bea6be65140975a59ec76bf28f025b6db46831b42fb4285c9eea120e8d8c7795437dad1ec2213fe85821d5abc

      • C:\Windows\SysWOW64\Ogbipa32.exe

        Filesize

        64KB

        MD5

        089265d674143ed000d829ee02d54586

        SHA1

        9c50250ea7d756df07ee50ef9b38edf0c922ea1f

        SHA256

        3f5135fcaa8e5ed0509c34e1d94a286da62e966402e895d86a03c11556701a05

        SHA512

        55dcfaa5ffd6493b5e4c3d1cce183eab1f735038cee1402282cef275938a66c8a876ed3f66484d53abc757f994cccd54e680178b27f9c79e78b5455f2d0ec1cc

      • C:\Windows\SysWOW64\Ogifjcdp.exe

        Filesize

        64KB

        MD5

        4c760727bbaa5aaedd2f657610978d7e

        SHA1

        0704f126c17bbcfeee63bffa841fb58dfaeba6c2

        SHA256

        390e81676f9120ef9f8046d134f59e287f2ee983636f8db9981a448e71415ac1

        SHA512

        d2f3836c9859d6166e788f58a5fe9aa23e641569123344f89a78aefa62343bb2b00552ec9cb80c710eb0c5b02c20f1ea05c82d8958f5fc625af7be268e8a86a0

      • C:\Windows\SysWOW64\Ognpebpj.exe

        Filesize

        64KB

        MD5

        217c9bbfd72c87a814c069087d3b6b1b

        SHA1

        1a6002b5ee6c740b177263b9adbb6d7cfb8e2d79

        SHA256

        599061f65f4c0487fd7d9675702b731ee6ceff9db50b9c71b6d6855ff1d1a15a

        SHA512

        4a94b5e60a47bb676c57642f7268632386c58554630f6f3027d82d09c7404d7d3b4376b10d8206635e2438d9689b57c4da364694ba25af533f386ff211c728f4

      • C:\Windows\SysWOW64\Ogpmjb32.exe

        Filesize

        64KB

        MD5

        b7ba9bdf3771d426eeb70dd66dd54c0f

        SHA1

        7291f893023945594cd86bdbb2eaa02e117a3fff

        SHA256

        3957900babf9ba3344a209e434ad59a921df0e784c60e6f3d7eee94ef8b60d74

        SHA512

        4ff962a08bc53dcabada2b8aa8e0d4bd8f6680800cfee1433409bad700d11f0af2d9bc2d8d9e38c66674b1b9f83d56d46e9804235b46ffa18aa7fa76db5371e6

      • C:\Windows\SysWOW64\Ojjolnaq.exe

        Filesize

        64KB

        MD5

        0d5f0c20044e073cc466fc9b9884d39e

        SHA1

        8d6211f551336b4dcfd49308019fe8e94726b415

        SHA256

        de25ae29a4b99b8de8da30aa219d0edbaa11849dc417ed8741701a72bb40bac1

        SHA512

        62712a0d45136e87b4ef78cbe5a73854da98977b98cd9dd0b3260dcbca53f59899acdbebe6c8fc99b0bb21cecaea2e0be87bd064f901f593e1a702f0624f0bf6

      • C:\Windows\SysWOW64\Olcbmj32.exe

        Filesize

        64KB

        MD5

        b41ba4ea1f46217dc1329a07ee66ddfa

        SHA1

        5f1f5de8270b8c47c33ac646e6a98830cf74aa88

        SHA256

        4572f98c35f7b79fda2d5e884a80da6c189f2e80dbbe1c398b1f1846eabef037

        SHA512

        29c9e94f0b658d3e4d8b56b901a1e41b200172234cf3855de1f733f7971d283a4d7ab7b4beea3993ca4270c561a5bb6c43ca3c755526b5114f627c4474c018e2

      • C:\Windows\SysWOW64\Olfobjbg.exe

        Filesize

        64KB

        MD5

        ba5315bd1089ac2398257f699e8718f7

        SHA1

        bcedbfb71527eca9ddd21d413e05f63bd30e1686

        SHA256

        559fcc74d8987be9e8bf18960eea9ebc66da23d92270ac7839085d5cf6fd1bba

        SHA512

        e2de66c9bbf14779822ec90285ae4abaf863505589a8533feeee77100f79c1c90ce94fc34627fec30133bfe6f3851b856b150354d3d73a1b9ad8038b8375624d

      • C:\Windows\SysWOW64\Olkhmi32.exe

        Filesize

        64KB

        MD5

        60ebeec109646fe1fd8146ba3b2397f0

        SHA1

        fa702e2de7052fb561761440bc7f8cdb73f3cf8e

        SHA256

        dcc876eae4afdc7f0a6feb8d9144a3a9f3578fbaa0bc97a4f904a2f7029ca289

        SHA512

        82030d65fd7bd2ee33eee29530cdf036efb7291d6304286062896b5d040561e73d89ffb3866a16d15c11dea415f65fd4bc4da5a36d1dbbbbb272f68734188646

      • C:\Windows\SysWOW64\Oncofm32.exe

        Filesize

        64KB

        MD5

        c5043eade2b4375c9a681a0194e6d249

        SHA1

        3ea0e7fd7bb4228e62d1fe5727875c0bc2975bec

        SHA256

        7eeeaa6caaf2809da327f3cebc2f0ec1fe8a426139aad6f870d3c071214dc45f

        SHA512

        15d6a24758609fc369923762e0ec6f8a7235971f0f12c23e1171015fc49306e4b4362f5918eede8ce6dfcf12c1b42ce763db3119b5c378cfb009f7b8b05af60a

      • C:\Windows\SysWOW64\Oqhacgdh.exe

        Filesize

        64KB

        MD5

        6008837615e2525f8ff647dbc0302fe4

        SHA1

        b838bea46f90e32f8dd78a6c00dc79d34c400fe9

        SHA256

        616cffd729dc70eb19e0202cc5128dd07f0aa5d54c167e86cd69f61a15daf6d2

        SHA512

        6e96294528a6237bed478060e29ac085cd3d01fd310a6fe8fd8b71e8e93dceac331d85f91fa97ba9b7673263389b676b09ae5b57458baf07ca7bb1ff5fd3dce0

      • C:\Windows\SysWOW64\Pmoahijl.exe

        Filesize

        64KB

        MD5

        2ef639e42a91186514b25c0fff00645c

        SHA1

        7848f78c44b23b10629e971ad2e4d45508ca904e

        SHA256

        f1455a4b46f82b30175289d119ef62543e0aff00fd04121a7910019702751ae6

        SHA512

        6319a8e45e9fdc74c12a3f2d3df56f35a972c61902b1851e46376397bc40d1f75719fe3862c091d1166e944341269c67778bbff0ded320fc5ad5fbf031038c5a

      • memory/388-341-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/668-527-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/812-477-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/864-588-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/864-55-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/980-239-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1012-7-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1012-546-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1032-533-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1060-136-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1124-567-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1124-32-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1300-119-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1420-467-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1448-305-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1524-443-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1536-335-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1636-64-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1684-395-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1744-323-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1756-515-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1780-401-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1816-132-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1952-80-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1960-419-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1968-383-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1984-16-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1984-553-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2036-311-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2136-479-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2220-279-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2280-208-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2312-231-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2340-160-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2368-560-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2368-23-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2380-263-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2436-544-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2464-180-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2488-148-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2560-347-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2564-255-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2732-95-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2740-329-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2748-299-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2812-497-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2844-353-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2920-413-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/2972-509-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3024-156-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3244-191-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3292-521-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3312-455-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3324-87-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3328-220-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3368-425-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3436-172-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3540-71-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3552-503-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3556-365-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3616-247-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3768-371-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3840-551-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3884-359-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/3992-449-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4000-269-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4136-389-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4200-223-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4288-319-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4292-574-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4292-39-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4308-48-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4308-581-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4380-461-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4476-281-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4488-485-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4600-188-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4716-495-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4760-287-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4780-204-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4852-407-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4920-293-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4948-539-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4948-0-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/4980-437-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/5044-111-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/5064-240-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/5084-431-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/5100-104-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/5108-377-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/5204-554-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/5284-561-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/5332-568-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/5384-575-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/5440-582-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/5484-589-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB