Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 10:51

General

  • Target

    9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe

  • Size

    384KB

  • MD5

    b654a546c25b33ecd91f570c11f24020

  • SHA1

    d67ca973a1b35574f021331811ef0f3fc16a2aca

  • SHA256

    9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29a

  • SHA512

    0d28fbc704ee6357d0a3cef6ecbd7add8e237cd5a3a5e7c2cd7b3ead4b18b988281ff5c272249a28f57200acb827d0eab6b5dd5c2ef3f61a38d92a5c1589d97d

  • SSDEEP

    6144:AR3Q5U4/4Bjvmih8SeNpgdyuH1lZfRo0V8JcgE+ezpg12:Y3oX4pvmK87g7/VycgE82

Malware Config

Extracted

Family

berbew

C2

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe
    "C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\SysWOW64\Anadoi32.exe
      C:\Windows\system32\Anadoi32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\SysWOW64\Aqppkd32.exe
        C:\Windows\system32\Aqppkd32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4688
        • C:\Windows\SysWOW64\Aeklkchg.exe
          C:\Windows\system32\Aeklkchg.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3616
          • C:\Windows\SysWOW64\Agjhgngj.exe
            C:\Windows\system32\Agjhgngj.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3964
            • C:\Windows\SysWOW64\Ajhddjfn.exe
              C:\Windows\system32\Ajhddjfn.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1448
              • C:\Windows\SysWOW64\Andqdh32.exe
                C:\Windows\system32\Andqdh32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:228
                • C:\Windows\SysWOW64\Aabmqd32.exe
                  C:\Windows\system32\Aabmqd32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:216
                  • C:\Windows\SysWOW64\Aeniabfd.exe
                    C:\Windows\system32\Aeniabfd.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of WriteProcessMemory
                    PID:1612
                    • C:\Windows\SysWOW64\Aglemn32.exe
                      C:\Windows\system32\Aglemn32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:556
                      • C:\Windows\SysWOW64\Ajkaii32.exe
                        C:\Windows\system32\Ajkaii32.exe
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:1980
                        • C:\Windows\SysWOW64\Anfmjhmd.exe
                          C:\Windows\system32\Anfmjhmd.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2864
                          • C:\Windows\SysWOW64\Aadifclh.exe
                            C:\Windows\system32\Aadifclh.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2532
                            • C:\Windows\SysWOW64\Aepefb32.exe
                              C:\Windows\system32\Aepefb32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:2668
                              • C:\Windows\SysWOW64\Agoabn32.exe
                                C:\Windows\system32\Agoabn32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:840
                                • C:\Windows\SysWOW64\Bjmnoi32.exe
                                  C:\Windows\system32\Bjmnoi32.exe
                                  16⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:4860
                                  • C:\Windows\SysWOW64\Bnhjohkb.exe
                                    C:\Windows\system32\Bnhjohkb.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:4768
                                    • C:\Windows\SysWOW64\Bmkjkd32.exe
                                      C:\Windows\system32\Bmkjkd32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:4268
                                      • C:\Windows\SysWOW64\Bebblb32.exe
                                        C:\Windows\system32\Bebblb32.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:3672
                                        • C:\Windows\SysWOW64\Bcebhoii.exe
                                          C:\Windows\system32\Bcebhoii.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:2336
                                          • C:\Windows\SysWOW64\Bfdodjhm.exe
                                            C:\Windows\system32\Bfdodjhm.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of WriteProcessMemory
                                            PID:4832
                                            • C:\Windows\SysWOW64\Bjokdipf.exe
                                              C:\Windows\system32\Bjokdipf.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:1256
                                              • C:\Windows\SysWOW64\Bnkgeg32.exe
                                                C:\Windows\system32\Bnkgeg32.exe
                                                23⤵
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:3336
                                                • C:\Windows\SysWOW64\Baicac32.exe
                                                  C:\Windows\system32\Baicac32.exe
                                                  24⤵
                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:336
                                                  • C:\Windows\SysWOW64\Bchomn32.exe
                                                    C:\Windows\system32\Bchomn32.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Modifies registry class
                                                    PID:3588
                                                    • C:\Windows\SysWOW64\Bgcknmop.exe
                                                      C:\Windows\system32\Bgcknmop.exe
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:3880
                                                      • C:\Windows\SysWOW64\Bjagjhnc.exe
                                                        C:\Windows\system32\Bjagjhnc.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry class
                                                        PID:3892
                                                        • C:\Windows\SysWOW64\Bnmcjg32.exe
                                                          C:\Windows\system32\Bnmcjg32.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          PID:4052
                                                          • C:\Windows\SysWOW64\Balpgb32.exe
                                                            C:\Windows\system32\Balpgb32.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3624
                                                            • C:\Windows\SysWOW64\Bcjlcn32.exe
                                                              C:\Windows\system32\Bcjlcn32.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2748
                                                              • C:\Windows\SysWOW64\Bgehcmmm.exe
                                                                C:\Windows\system32\Bgehcmmm.exe
                                                                31⤵
                                                                • Executes dropped EXE
                                                                PID:5068
                                                                • C:\Windows\SysWOW64\Bjddphlq.exe
                                                                  C:\Windows\system32\Bjddphlq.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:464
                                                                  • C:\Windows\SysWOW64\Bnpppgdj.exe
                                                                    C:\Windows\system32\Bnpppgdj.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Modifies registry class
                                                                    PID:4284
                                                                    • C:\Windows\SysWOW64\Banllbdn.exe
                                                                      C:\Windows\system32\Banllbdn.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4304
                                                                      • C:\Windows\SysWOW64\Bclhhnca.exe
                                                                        C:\Windows\system32\Bclhhnca.exe
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Modifies registry class
                                                                        PID:4724
                                                                        • C:\Windows\SysWOW64\Bfkedibe.exe
                                                                          C:\Windows\system32\Bfkedibe.exe
                                                                          36⤵
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          PID:2384
                                                                          • C:\Windows\SysWOW64\Bjfaeh32.exe
                                                                            C:\Windows\system32\Bjfaeh32.exe
                                                                            37⤵
                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1948
                                                                            • C:\Windows\SysWOW64\Bmemac32.exe
                                                                              C:\Windows\system32\Bmemac32.exe
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:2320
                                                                              • C:\Windows\SysWOW64\Belebq32.exe
                                                                                C:\Windows\system32\Belebq32.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • Modifies registry class
                                                                                PID:3452
                                                                                • C:\Windows\SysWOW64\Chjaol32.exe
                                                                                  C:\Windows\system32\Chjaol32.exe
                                                                                  40⤵
                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  PID:3392
                                                                                  • C:\Windows\SysWOW64\Cjinkg32.exe
                                                                                    C:\Windows\system32\Cjinkg32.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry class
                                                                                    PID:1996
                                                                                    • C:\Windows\SysWOW64\Cmgjgcgo.exe
                                                                                      C:\Windows\system32\Cmgjgcgo.exe
                                                                                      42⤵
                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      PID:4784
                                                                                      • C:\Windows\SysWOW64\Cabfga32.exe
                                                                                        C:\Windows\system32\Cabfga32.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Modifies registry class
                                                                                        PID:4264
                                                                                        • C:\Windows\SysWOW64\Cdabcm32.exe
                                                                                          C:\Windows\system32\Cdabcm32.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          PID:1124
                                                                                          • C:\Windows\SysWOW64\Cfpnph32.exe
                                                                                            C:\Windows\system32\Cfpnph32.exe
                                                                                            45⤵
                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:1572
                                                                                            • C:\Windows\SysWOW64\Cnffqf32.exe
                                                                                              C:\Windows\system32\Cnffqf32.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry class
                                                                                              PID:3928
                                                                                              • C:\Windows\SysWOW64\Cmiflbel.exe
                                                                                                C:\Windows\system32\Cmiflbel.exe
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Modifies registry class
                                                                                                PID:1736
                                                                                                • C:\Windows\SysWOW64\Ceqnmpfo.exe
                                                                                                  C:\Windows\system32\Ceqnmpfo.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:3972
                                                                                                  • C:\Windows\SysWOW64\Chokikeb.exe
                                                                                                    C:\Windows\system32\Chokikeb.exe
                                                                                                    49⤵
                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    PID:4700
                                                                                                    • C:\Windows\SysWOW64\Cjmgfgdf.exe
                                                                                                      C:\Windows\system32\Cjmgfgdf.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:2060
                                                                                                      • C:\Windows\SysWOW64\Cnicfe32.exe
                                                                                                        C:\Windows\system32\Cnicfe32.exe
                                                                                                        51⤵
                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                        • Executes dropped EXE
                                                                                                        • Modifies registry class
                                                                                                        PID:1816
                                                                                                        • C:\Windows\SysWOW64\Cagobalc.exe
                                                                                                          C:\Windows\system32\Cagobalc.exe
                                                                                                          52⤵
                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          PID:2732
                                                                                                          • C:\Windows\SysWOW64\Cdfkolkf.exe
                                                                                                            C:\Windows\system32\Cdfkolkf.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            PID:532
                                                                                                            • C:\Windows\SysWOW64\Chagok32.exe
                                                                                                              C:\Windows\system32\Chagok32.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:4568
                                                                                                              • C:\Windows\SysWOW64\Cjpckf32.exe
                                                                                                                C:\Windows\system32\Cjpckf32.exe
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry class
                                                                                                                PID:3492
                                                                                                                • C:\Windows\SysWOW64\Cmnpgb32.exe
                                                                                                                  C:\Windows\system32\Cmnpgb32.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Modifies registry class
                                                                                                                  PID:2996
                                                                                                                  • C:\Windows\SysWOW64\Cajlhqjp.exe
                                                                                                                    C:\Windows\system32\Cajlhqjp.exe
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Modifies registry class
                                                                                                                    PID:3248
                                                                                                                    • C:\Windows\SysWOW64\Cdhhdlid.exe
                                                                                                                      C:\Windows\system32\Cdhhdlid.exe
                                                                                                                      58⤵
                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:2416
                                                                                                                      • C:\Windows\SysWOW64\Chcddk32.exe
                                                                                                                        C:\Windows\system32\Chcddk32.exe
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Modifies registry class
                                                                                                                        PID:404
                                                                                                                        • C:\Windows\SysWOW64\Cjbpaf32.exe
                                                                                                                          C:\Windows\system32\Cjbpaf32.exe
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Modifies registry class
                                                                                                                          PID:3740
                                                                                                                          • C:\Windows\SysWOW64\Cnnlaehj.exe
                                                                                                                            C:\Windows\system32\Cnnlaehj.exe
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:2020
                                                                                                                            • C:\Windows\SysWOW64\Calhnpgn.exe
                                                                                                                              C:\Windows\system32\Calhnpgn.exe
                                                                                                                              62⤵
                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Modifies registry class
                                                                                                                              PID:1552
                                                                                                                              • C:\Windows\SysWOW64\Cegdnopg.exe
                                                                                                                                C:\Windows\system32\Cegdnopg.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies registry class
                                                                                                                                PID:1772
                                                                                                                                • C:\Windows\SysWOW64\Dhfajjoj.exe
                                                                                                                                  C:\Windows\system32\Dhfajjoj.exe
                                                                                                                                  64⤵
                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  PID:3896
                                                                                                                                  • C:\Windows\SysWOW64\Djdmffnn.exe
                                                                                                                                    C:\Windows\system32\Djdmffnn.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:628
                                                                                                                                    • C:\Windows\SysWOW64\Dmcibama.exe
                                                                                                                                      C:\Windows\system32\Dmcibama.exe
                                                                                                                                      66⤵
                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                      PID:4108
                                                                                                                                      • C:\Windows\SysWOW64\Dejacond.exe
                                                                                                                                        C:\Windows\system32\Dejacond.exe
                                                                                                                                        67⤵
                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:4232
                                                                                                                                        • C:\Windows\SysWOW64\Dhhnpjmh.exe
                                                                                                                                          C:\Windows\system32\Dhhnpjmh.exe
                                                                                                                                          68⤵
                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:3936
                                                                                                                                          • C:\Windows\SysWOW64\Dfknkg32.exe
                                                                                                                                            C:\Windows\system32\Dfknkg32.exe
                                                                                                                                            69⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:2348
                                                                                                                                            • C:\Windows\SysWOW64\Dobfld32.exe
                                                                                                                                              C:\Windows\system32\Dobfld32.exe
                                                                                                                                              70⤵
                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              PID:5156
                                                                                                                                              • C:\Windows\SysWOW64\Daqbip32.exe
                                                                                                                                                C:\Windows\system32\Daqbip32.exe
                                                                                                                                                71⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:5196
                                                                                                                                                • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                                                                                  C:\Windows\system32\Ddonekbl.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Modifies registry class
                                                                                                                                                  PID:5236
                                                                                                                                                  • C:\Windows\SysWOW64\Dhkjej32.exe
                                                                                                                                                    C:\Windows\system32\Dhkjej32.exe
                                                                                                                                                    73⤵
                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:5276
                                                                                                                                                    • C:\Windows\SysWOW64\Dkifae32.exe
                                                                                                                                                      C:\Windows\system32\Dkifae32.exe
                                                                                                                                                      74⤵
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      • Modifies registry class
                                                                                                                                                      PID:5316
                                                                                                                                                      • C:\Windows\SysWOW64\Dmgbnq32.exe
                                                                                                                                                        C:\Windows\system32\Dmgbnq32.exe
                                                                                                                                                        75⤵
                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        PID:5356
                                                                                                                                                        • C:\Windows\SysWOW64\Daconoae.exe
                                                                                                                                                          C:\Windows\system32\Daconoae.exe
                                                                                                                                                          76⤵
                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          PID:5396
                                                                                                                                                          • C:\Windows\SysWOW64\Ddakjkqi.exe
                                                                                                                                                            C:\Windows\system32\Ddakjkqi.exe
                                                                                                                                                            77⤵
                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            • Modifies registry class
                                                                                                                                                            PID:5436
                                                                                                                                                            • C:\Windows\SysWOW64\Dkkcge32.exe
                                                                                                                                                              C:\Windows\system32\Dkkcge32.exe
                                                                                                                                                              78⤵
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:5476
                                                                                                                                                              • C:\Windows\SysWOW64\Dmjocp32.exe
                                                                                                                                                                C:\Windows\system32\Dmjocp32.exe
                                                                                                                                                                79⤵
                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                • Modifies registry class
                                                                                                                                                                PID:5516
                                                                                                                                                                • C:\Windows\SysWOW64\Daekdooc.exe
                                                                                                                                                                  C:\Windows\system32\Daekdooc.exe
                                                                                                                                                                  80⤵
                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                  PID:5564
                                                                                                                                                                  • C:\Windows\SysWOW64\Dddhpjof.exe
                                                                                                                                                                    C:\Windows\system32\Dddhpjof.exe
                                                                                                                                                                    81⤵
                                                                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    PID:5596
                                                                                                                                                                    • C:\Windows\SysWOW64\Dgbdlf32.exe
                                                                                                                                                                      C:\Windows\system32\Dgbdlf32.exe
                                                                                                                                                                      82⤵
                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                      PID:5636
                                                                                                                                                                      • C:\Windows\SysWOW64\Doilmc32.exe
                                                                                                                                                                        C:\Windows\system32\Doilmc32.exe
                                                                                                                                                                        83⤵
                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                        PID:5680
                                                                                                                                                                        • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                          C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                          84⤵
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:5720
                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 408
                                                                                                                                                                            85⤵
                                                                                                                                                                            • Program crash
                                                                                                                                                                            PID:5808
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5720 -ip 5720
    1⤵
      PID:5784

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Aabmqd32.exe

            Filesize

            384KB

            MD5

            5caba83cabf3aaed4cbc94c42ce5e0e4

            SHA1

            aadd6257512939517869d3b6d23401f18e8654e8

            SHA256

            39038682c45c852002c9a46489192ecef9bae4f6f16bb0a203343e72a8045f95

            SHA512

            1df41df88c660273c6d7bfe51fcb1293ba766657ec3e6a4efa8a74868572e10d08c8c377ca4dca8ac8496e3764a97fb6890e11e6acea9c1f1e7b3891c9f9df72

          • C:\Windows\SysWOW64\Aadifclh.exe

            Filesize

            384KB

            MD5

            76483984f8b2bff03f185a16e6be996b

            SHA1

            adc95cd8ccc4aeb48838ef70e365d65f35a7825f

            SHA256

            14fc25a18db423ab6de3ba789d01c6ba876d46327743c353ab10e420ed176ef1

            SHA512

            afff813f6218120726a89b09319a0855b68c75a7d8ad894c7a3bbaf6f2f4c4ab0d185ba9703b564659339781b8c1e97b3cbf75c88ee53bbef350d1a0fc54e46f

          • C:\Windows\SysWOW64\Aeklkchg.exe

            Filesize

            384KB

            MD5

            9033d2981a18a605291db997d583e8ba

            SHA1

            462b074949397d5edb14d9d314afebf180dab27e

            SHA256

            7809e0976306cb102204ba2ebbaae7c0eda72ed092255e334357168c775b9cc1

            SHA512

            d84d566ad229330854ae2e48616308018c185a1a381df78cfd78af746545328d520ecdaae79cd9a2c1baaff60ac6ebae23f5217dcbe3e14367eeb245aaa04cdb

          • C:\Windows\SysWOW64\Aeniabfd.exe

            Filesize

            384KB

            MD5

            fc193cca4ef6d18159e7c6c97d7785fb

            SHA1

            22ecdb554eb63b1660203838ef2720166ae938cf

            SHA256

            a6fc962d18d2192d674fed0280a4b03872300460e685d1ef6ffaa537511960ee

            SHA512

            2c092f04e2dc488c40a87596ec29cc16f320a4352931b134f46db58f408389d946a946d272d52563be0e71e7b72256e6f97edafa2850a08644e4882cc42dbfcd

          • C:\Windows\SysWOW64\Aepefb32.exe

            Filesize

            384KB

            MD5

            b7939ed895f271fe437ab6f59a5a36fe

            SHA1

            63fcdedaf7693f075c1493b73d2badb333036378

            SHA256

            83d0ca1cbe71ccbbda877ec96e824bf2c14a4aad085a43d4057d3e6daab882c3

            SHA512

            29afce1ffdd61ea6a21c2306cf46dc9c09bd210da4787464ee550c024c77c9984a6bfdee47b6671195e2c2dccc6ee70985f84637b5e4c85647c321bafca766da

          • C:\Windows\SysWOW64\Agjhgngj.exe

            Filesize

            384KB

            MD5

            2bbefa417553b86165dc8d011c97fc57

            SHA1

            8711abb550a7e386a5e68225efdb78a5f46a978b

            SHA256

            ff6c247408a44fd63fe151f299d329c699feb716bf9df7ab4ce44bf7dd0625b2

            SHA512

            b22e6cc8bf571b8442872fc54ff6f126e472ed15090801bcce54a026301d7f401055951cbf37931069e0c2deb04726f914efd7fa0447d9e9fa8d83c7dbc18553

          • C:\Windows\SysWOW64\Aglemn32.exe

            Filesize

            384KB

            MD5

            5b887951738160872b2b94b2dfdf426c

            SHA1

            4000da3e13ba7be4bae36ec7c73100a4090cf984

            SHA256

            c4545a96259a0722acee2cec39aa1d55d76ad605eea9acb9cb63cbe304de44fd

            SHA512

            7f29f0cbfc460d2078e842d749e5f00d9b559cc005d31767889385194c9aaa9c2b32af3cf84c74ffb2b9189b5226f2a6180c9f067b23c75f3026107634758ca2

          • C:\Windows\SysWOW64\Agoabn32.exe

            Filesize

            384KB

            MD5

            c46908b167b12e58b88c244a0d2c6419

            SHA1

            cf35b424fc4fd467a5cd99a080b2d4df31ec0102

            SHA256

            4b22b23d4c4d5523e7aa65790029298b0ede415f09dba843a2f3608e38bc5a13

            SHA512

            9ca6074131867e3a0d3b67e68e327d2fa9c5e9f7f5a5bf183eacffe202ea0d4c3afcd84afe022fb0b6a60df2b0c7213469d39acc820f6ea08e7a3348862a0d7a

          • C:\Windows\SysWOW64\Ajhddjfn.exe

            Filesize

            384KB

            MD5

            54e978ae72a7372572bb100b8968ceda

            SHA1

            89afc3b6d88a985ecc49a88546fe7693fca54c22

            SHA256

            d415ef949795eb5991a23adb6942e0c48973686aac9eeb2fc38a25e3ecfe031f

            SHA512

            7cc4919cbc5948a587826b2a0d71cf7d48f68802be784b3c60f90a4fe032b572e1dd97b943cee50892f27e2aac0a23a4b53a88dc90ed9cad56b2596e7066c564

          • C:\Windows\SysWOW64\Ajkaii32.exe

            Filesize

            384KB

            MD5

            ce53cdd0fac74c87ee4613b2fea5192e

            SHA1

            8f598a91ec21a5a5fce149cee3766d6535ab24b9

            SHA256

            5f0e75834ba00008219daa765f8ab3a502973152ddf8101fc346294ed52f63b1

            SHA512

            e40f5232c121072e963b72cbd12ddcf6efd9d737133e9596d2e126fb222914ccf5f8e87373edb247802f2f154cc1a487d3564dc720de9608507b5836ff808365

          • C:\Windows\SysWOW64\Anadoi32.exe

            Filesize

            384KB

            MD5

            4ffabc8aa292472ba34637f8181be062

            SHA1

            1a0485e044e7335cc1a1150a0ce1319e143710af

            SHA256

            5af6633f74fd23c8f09c5483405480f3fe0c02b8d2fb2e153500a2844c01411e

            SHA512

            98a775e9ba19d750254c4d91a924a21c30d922d0fa332eaf5c5052e2a4fbdcd3357ed7c55bb86a98b3d582e8314dde070247dac1daaca71e972fe843c5b735bd

          • C:\Windows\SysWOW64\Andqdh32.exe

            Filesize

            384KB

            MD5

            6dc4d3d60446c2792db0f620f604a920

            SHA1

            74adaf0531eb962faada1e27e78a5978b34b43b7

            SHA256

            5b85099359f9c2f998c54cfd864f46a117512a7b9540bfb710eb5d6cbec2ae1d

            SHA512

            39c02a117e84edf80159433e278ef625da3b95654ff7783d7a6004192693a5a40a32face58890c3f9608779964c071553f4782ac710806f8124f610436b10e2b

          • C:\Windows\SysWOW64\Anfmjhmd.exe

            Filesize

            384KB

            MD5

            4e8648a8a43145c59be715ce33b11161

            SHA1

            a2c750a493cc18c9b64bb02138a7c7aed89e9900

            SHA256

            1337ffbc4136d0409c1b72f8a857f95ed4c7b731595879f954d6fbe9a0798b54

            SHA512

            f8e4b9067ef57e6c4ba1233f8d17aaf8a5d95fec1fa4b528cfe18d2a423afea9158a5565bd3e0facbc87b5698821a6cddf4d2e5dab410eeb913dadf1888965cc

          • C:\Windows\SysWOW64\Aqppkd32.exe

            Filesize

            384KB

            MD5

            a7f7759e023d90bdebe75b43a067fc65

            SHA1

            8ba9798615f6018e63448a0c52efb0bbc6de1257

            SHA256

            6deb7d6c3f1306a50906236c0df25fa3f95d39612910fa424454f9a696668496

            SHA512

            1b651abbfffdb451490bfc740a51161411344b30b68dedd54bd1c9b79e6297b4c02e8c00d97fc6d9e6b76fe9320146315f6e6f9960847415fe4a5adebf61c961

          • C:\Windows\SysWOW64\Baicac32.exe

            Filesize

            384KB

            MD5

            2e87eea3b2eac62c29cffddc7a7bdb07

            SHA1

            a2da2d7eb388361223249b2bd5789254ad9d5916

            SHA256

            61aa0a3c16b05065952f1c81d8c05495c24765ab8f725c62f53af9a5ac17657d

            SHA512

            fa6d414166c543ad028f3b844c793d11df5999d5d3494d4f7a172fbaf5198b456e9474f8989ee0380aafb29545727ebb9e561d71d23017460c778c28995a9fd5

          • C:\Windows\SysWOW64\Balpgb32.exe

            Filesize

            384KB

            MD5

            05817ed39385a3762f1a7484114e11bb

            SHA1

            fcfb845f5ec3a1afbe728b4cad4262f7f39066ed

            SHA256

            ec74ccfd19af4d5c0c545af6662fc16a1dbceda41ba94d791418ebf289642578

            SHA512

            3fc80399f86764d26e49330208d3046af3a520824fef075c7e3e121adac961ef9e33f1e9bdae497896cc3939d7dfb5f8134ad1766d4483f02bb9260623c6596c

          • C:\Windows\SysWOW64\Bcebhoii.exe

            Filesize

            384KB

            MD5

            9241beba41c378685658f4dcf73eab46

            SHA1

            25f7e74b4f32aa97ea001ca3ff54f12ac16ae139

            SHA256

            29864d08a28638f6ce16c4f309cf68d9abc2fe77dae689dbddefdb2a2d61687f

            SHA512

            03f91c2676fd717e2d354302256452dcc112eb7eb2d929f37b93403c06eb41699de1d50d2d14bbb90e39967a944c24da05dddd01e616e97914a9305a6000161e

          • C:\Windows\SysWOW64\Bchomn32.exe

            Filesize

            384KB

            MD5

            a195a979c34925e77e64a4990ae3dbdc

            SHA1

            db3c57f42347a0bf90a8d2ca26463707b265412a

            SHA256

            88eba9656e880f701ee6ac096eb0f6ae1be3759ed1468a89bd2fbb8009bbc119

            SHA512

            91728d0e1d6839a5ee28332d99e731d005be3349c44385097c4a034ccee4fcaa73ddbadb88819c57956793f9200d33572301a7994bf5f9f07be09832cd933b84

          • C:\Windows\SysWOW64\Bcjlcn32.exe

            Filesize

            384KB

            MD5

            786e59a353a4fcc1ab519f84a27f6cff

            SHA1

            b167bb7d78037018a64c6b6ea5630bf7e9d3cf4d

            SHA256

            4ff2665bd6e3c34009feb528a2093a66a540a4c552efea660dc6bfbb68c752f8

            SHA512

            f80167cadbed951e65974c38aa7be5d6ceda7651913a99ef5fe68bf83e6900b0cc99799a864387ac81594de7886851dd10e488eaa81f3a2d0ea0cade8c552506

          • C:\Windows\SysWOW64\Bebblb32.exe

            Filesize

            384KB

            MD5

            8fe9eda04d39a1b92b99bb117fa96e6f

            SHA1

            20eba5ad6f8b93d805c78704054a89c7248c6efa

            SHA256

            4d747ae878c711078a4a9f5acb9d1a7e07a79666e9950317c0f24d761634294f

            SHA512

            8be8e51cf721202ea9f80dd68707af1ed83b79670b8b26931c71ec7ad3b6b39ca063e929fae01f37ca2daebc2c33cc368f2c8b5fcfb79ebcaf8390a333365c38

          • C:\Windows\SysWOW64\Bfdodjhm.exe

            Filesize

            384KB

            MD5

            3cda09660b34ecf2d14433873c983c9a

            SHA1

            dc37780155b72c4a54c1543408b6e8fb5cab2869

            SHA256

            e6c458327f9a6623a2fe12da2fce90f296e05eb68436f0462effc5eef715ec43

            SHA512

            7fa5ffad96c26ff32abece4c00ea9cc56c41acbf51d949d1c7db22a6e778060eb567f210e806aea0dfac4dca947509b8f93b79dcc6e559b69ba315713b2b76df

          • C:\Windows\SysWOW64\Bgcknmop.exe

            Filesize

            384KB

            MD5

            03b18db24a7eaed60251d152f040f675

            SHA1

            dd0f9ec8639efffba8c9751cf7cbbede009bcfd2

            SHA256

            d45f8f4660d57c36ed357b5e3c18453173ba6be2c63d2e9412fd35f394a200ce

            SHA512

            f31d513978821ae80aa11f80c30d7b8c73e8781a64b2839e527ba07cb53569c7bd4c16076d400d287666ce5c4a98f22ceff12830ce8439eda4df66626adca0ee

          • C:\Windows\SysWOW64\Bgehcmmm.exe

            Filesize

            384KB

            MD5

            e9e24e680f9f139d7ccb43d986a9bc85

            SHA1

            bef665ac2e4a8dde81affaeb6ebe9c58e7194050

            SHA256

            4ef1144eb56d4f31a4f3bea11085bd6542ebfe3f79784f0fce6261e2e8093d9d

            SHA512

            c8bc2f932de67214c7527d57d55ec8786b510b5976330cc0bf22e0eb11101312e5e2dcec83e51a6b67da1bd9e40268d5f5ccce24385b9a291336a635c4cf71c8

          • C:\Windows\SysWOW64\Bjagjhnc.exe

            Filesize

            384KB

            MD5

            6e9801b31315492eeba2db98408adfcb

            SHA1

            725addc8c30916a33fee2542ff57ea8ebe61e609

            SHA256

            68a589fcc4bb5851544039af57029b11a40d365db29c21e03de0dbf74e9ec05b

            SHA512

            bf42a9d8d1001d7d6c2503bab19a16aa5f1f4c893a034946a9be8bfc5f4fc469f4f6b5355891327b8d59798cbbaf025e04a6c1c26b85c733ee6798bf8b382c56

          • C:\Windows\SysWOW64\Bjddphlq.exe

            Filesize

            384KB

            MD5

            d589cb5b698778459710e02f545b5db3

            SHA1

            288abd678422e5ed3726e49c4610d1f7c5e2bda4

            SHA256

            5a4ec4a2159baa5d785115cf1bb91a540723e5bb97bf000e8169a89f9a54b8ad

            SHA512

            c03ed5f4a1f5f728c5f7e2f4343898107b5b4a5d2d0c0fdeac4057cb86709ffa5e6bdde3d082af616bc127ffa8d0c5e7921536c6be3a0badf1619df35778eaeb

          • C:\Windows\SysWOW64\Bjmnoi32.exe

            Filesize

            384KB

            MD5

            f6a8245f959cab9fbcd18d89044a176c

            SHA1

            62fea54aba3b05b4fbc85c0d67d8da131b2fe8b6

            SHA256

            5ac49e35f5ff23a72a1fa1a3556f378777a8cd2012de413a8b5383e687d6fcc0

            SHA512

            c50c894286bc9f68a82da155e90536b75ad56df1799feec4c776525e61dc586595ae1f506c1a04b382b21ec0cca7b9821a602a278a774a4253111408aaf3c131

          • C:\Windows\SysWOW64\Bjokdipf.exe

            Filesize

            384KB

            MD5

            b308e8e93ff5e694facb802d2c6373c6

            SHA1

            0dff637ba0b35ae738533051dd9b9542ddf303fa

            SHA256

            ad8ad43bb23f579ada4b8075f3c82bebb9312c1db037ef94020568eda3369da4

            SHA512

            fb8dcea8ee8dc46aabc15e7f36a7abd82f03800d3c99629e7faec76b82856de97f70025c103176159856455b6474e2e0a8b36b75dfc176a1eaf97f6be9f1be51

          • C:\Windows\SysWOW64\Bmkjkd32.exe

            Filesize

            384KB

            MD5

            d976e3ae9ece8489471ef7f8afcb335e

            SHA1

            b5da39c03eae1ab7e7b1e856124f16c25dc0f717

            SHA256

            b8e410fc8e772f1a422188d0673271c1ab6f1b26a2b34d899fdf8156a8913ec7

            SHA512

            1f477c46170885eab831bb5120add1999729a8c7f75d01732e4dcea6cb5b67c01881b33d88f10cb2a240a3b4665eeadcec7f561224ad636a9f44b340f5ae68f8

          • C:\Windows\SysWOW64\Bnhjohkb.exe

            Filesize

            384KB

            MD5

            5e423dd3bec5f6579a1688034fa13e42

            SHA1

            6b4590ad9ae0c5a027f62d2b322cbc2101960973

            SHA256

            f0677a4c4c8b99752b05c419f9d6310d52a38a986c698fc5a7ab597225175432

            SHA512

            abdc2c634087ddea475c0526d85a499da7f67b65789d2c7171e795379e6e6f4bc96e86b37f27b0c1102cac6f5d7d16e5115a84efe19e086e053761dc2ee0e96f

          • C:\Windows\SysWOW64\Bnkgeg32.exe

            Filesize

            384KB

            MD5

            c740db47b5b808dc2c08c40adf4b515a

            SHA1

            d0455335f8f882a8962df4c37232ea6284361824

            SHA256

            e9f34b7ff02daff0c2a87523d23cdb6c2dbba4e218d610c9034394d831a206fb

            SHA512

            e4a3b128646756f9468f74c8d1944dc688647d7b2ce35392f5f290d1a4418431c7d9999672091a08cbffe678dbf6546df8c29349b55a819e8e99ad26a68e4ee8

          • C:\Windows\SysWOW64\Bnmcjg32.exe

            Filesize

            384KB

            MD5

            0ae159163e8566c045f7c58b1f0406ba

            SHA1

            7f286abe9b947677ddd578831ddb5c8b3f0a915d

            SHA256

            a348ab21a063970932400b1fdc3fff7beecddc9c5bd97fc99c50a784f374e86d

            SHA512

            71e01c394b850122cfccbb32ffabcd78d0cfcbcde6e218c97380f312c3f9757c69d62ed7396e7fc0e0e1fe79781bfa8f1927284c10e0c9dfc5a01ca1098bc742

          • C:\Windows\SysWOW64\Bnpppgdj.exe

            Filesize

            384KB

            MD5

            22218f9a90c350d2da5fcc0438caad69

            SHA1

            12941900aed12da89233110f97d4b8507d910af6

            SHA256

            21c37f7e0a31e02fef89aa9516e9ad0859b8f65744b8b40fd9a361c9d446a782

            SHA512

            0ae4fc4cefdbac42bc1a88280196d916d8c228f664477fbe89a9bbc45ba9352db5b79b568a23b577ab160fd4ae7aa2605845df8f432f6951902daa10af1f5f6d

          • C:\Windows\SysWOW64\Oicmfmok.dll

            Filesize

            7KB

            MD5

            6e1123c58d25ad4d90730094ef185322

            SHA1

            e8a011a5a72e7d6614fb35a86a19949627dbfb84

            SHA256

            1d9b9b034c223ba26694923179b9e53719ecf7c23c2fcc956ec4b5f1e51bf305

            SHA512

            0fd7c987d76a701ae67db5e5a7546e16fe08612833ab2da6f46f069a58e9815bf6ef1a9cd33aab7d4a755abacc0275fcda0bc0adaab313b96d6694c2fbc320a5

          • memory/216-60-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/228-52-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/336-188-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/404-417-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/464-252-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/532-380-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/556-76-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/628-453-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/840-117-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1124-327-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1256-173-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1448-44-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1552-434-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1572-333-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1612-68-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1616-549-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1616-0-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1736-345-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1772-445-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1816-368-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1948-284-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1980-84-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/1996-309-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2020-429-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2060-363-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2320-291-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2336-157-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2348-477-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2384-279-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2416-411-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2532-100-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2668-108-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2732-375-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2748-236-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2780-12-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2864-92-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/2996-399-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3248-405-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3336-180-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3392-302-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3452-296-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3492-392-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3588-197-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3616-28-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3624-229-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3672-148-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3740-423-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3880-204-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3892-213-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3896-447-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3928-339-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3936-471-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3964-564-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3964-32-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/3972-351-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4052-221-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4108-458-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4232-464-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4264-321-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4268-140-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4284-261-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4304-267-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4568-387-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4688-20-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4700-356-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4724-273-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4768-133-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4784-315-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4832-164-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/4860-124-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5068-245-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5156-483-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5196-489-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5236-495-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5276-501-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5316-507-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5356-513-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5396-519-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5436-525-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5476-531-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5516-536-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5564-543-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5596-550-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5636-556-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5680-562-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

          • memory/5720-563-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB