Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 19:00

General

  • Target

    bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exe

  • Size

    272KB

  • MD5

    bc0169f674755d5a0501125d17fe3e80

  • SHA1

    942eebaaf3250d47cc181e620f5fad012bb0fc1a

  • SHA256

    bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13

  • SHA512

    08b1074a23179a2e637c4a14657f3caded77b83d9492c89ba326333462b6cab9e9d91d2cf23b407a673aa767d41d09574286c07a831a29f8e64c691e802e506e

  • SSDEEP

    6144:lCBashpTBV+ByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R:ChpT6ByvNv54B9f01ZmHByvNv5

Malware Config

Extracted

Family

berbew

C2

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exe
    "C:\Users\Admin\AppData\Local\Temp\bed3dba7e995f1fba41e24b342fbf2539b541ff769efc55df75b72430d74be13N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Windows\SysWOW64\Bfabnjjp.exe
      C:\Windows\system32\Bfabnjjp.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\SysWOW64\Bnhjohkb.exe
        C:\Windows\system32\Bnhjohkb.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3548
        • C:\Windows\SysWOW64\Bmkjkd32.exe
          C:\Windows\system32\Bmkjkd32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2320
          • C:\Windows\SysWOW64\Bebblb32.exe
            C:\Windows\system32\Bebblb32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3456
            • C:\Windows\SysWOW64\Bcebhoii.exe
              C:\Windows\system32\Bcebhoii.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2936
              • C:\Windows\SysWOW64\Bfdodjhm.exe
                C:\Windows\system32\Bfdodjhm.exe
                7⤵
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:3324
                • C:\Windows\SysWOW64\Bjokdipf.exe
                  C:\Windows\system32\Bjokdipf.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4672
                  • C:\Windows\SysWOW64\Bmngqdpj.exe
                    C:\Windows\system32\Bmngqdpj.exe
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1204
                    • C:\Windows\SysWOW64\Baicac32.exe
                      C:\Windows\system32\Baicac32.exe
                      10⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:948
                      • C:\Windows\SysWOW64\Beeoaapl.exe
                        C:\Windows\system32\Beeoaapl.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2756
                        • C:\Windows\SysWOW64\Bgcknmop.exe
                          C:\Windows\system32\Bgcknmop.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:744
                          • C:\Windows\SysWOW64\Bffkij32.exe
                            C:\Windows\system32\Bffkij32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2892
                            • C:\Windows\SysWOW64\Bnmcjg32.exe
                              C:\Windows\system32\Bnmcjg32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:372
                              • C:\Windows\SysWOW64\Bmpcfdmg.exe
                                C:\Windows\system32\Bmpcfdmg.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:3000
                                • C:\Windows\SysWOW64\Balpgb32.exe
                                  C:\Windows\system32\Balpgb32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Suspicious use of WriteProcessMemory
                                  PID:2024
                                  • C:\Windows\SysWOW64\Beglgani.exe
                                    C:\Windows\system32\Beglgani.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:3680
                                    • C:\Windows\SysWOW64\Bcjlcn32.exe
                                      C:\Windows\system32\Bcjlcn32.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:2608
                                      • C:\Windows\SysWOW64\Bgehcmmm.exe
                                        C:\Windows\system32\Bgehcmmm.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:4000
                                        • C:\Windows\SysWOW64\Bfhhoi32.exe
                                          C:\Windows\system32\Bfhhoi32.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:1388
                                          • C:\Windows\SysWOW64\Bjddphlq.exe
                                            C:\Windows\system32\Bjddphlq.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:1192
                                            • C:\Windows\SysWOW64\Bnpppgdj.exe
                                              C:\Windows\system32\Bnpppgdj.exe
                                              22⤵
                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              • Modifies registry class
                                              • Suspicious use of WriteProcessMemory
                                              PID:4020
                                              • C:\Windows\SysWOW64\Bmbplc32.exe
                                                C:\Windows\system32\Bmbplc32.exe
                                                23⤵
                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Modifies registry class
                                                PID:3596
                                                • C:\Windows\SysWOW64\Banllbdn.exe
                                                  C:\Windows\system32\Banllbdn.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Modifies registry class
                                                  PID:5068
                                                  • C:\Windows\SysWOW64\Beihma32.exe
                                                    C:\Windows\system32\Beihma32.exe
                                                    25⤵
                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    PID:5088
                                                    • C:\Windows\SysWOW64\Bclhhnca.exe
                                                      C:\Windows\system32\Bclhhnca.exe
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:3636
                                                      • C:\Windows\SysWOW64\Bhhdil32.exe
                                                        C:\Windows\system32\Bhhdil32.exe
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        • Modifies registry class
                                                        PID:684
                                                        • C:\Windows\SysWOW64\Bfkedibe.exe
                                                          C:\Windows\system32\Bfkedibe.exe
                                                          28⤵
                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1676
                                                          • C:\Windows\SysWOW64\Bjfaeh32.exe
                                                            C:\Windows\system32\Bjfaeh32.exe
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            PID:5108
                                                            • C:\Windows\SysWOW64\Bnbmefbg.exe
                                                              C:\Windows\system32\Bnbmefbg.exe
                                                              30⤵
                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1896
                                                              • C:\Windows\SysWOW64\Bmemac32.exe
                                                                C:\Windows\system32\Bmemac32.exe
                                                                31⤵
                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4564
                                                                • C:\Windows\SysWOW64\Bapiabak.exe
                                                                  C:\Windows\system32\Bapiabak.exe
                                                                  32⤵
                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:5036
                                                                  • C:\Windows\SysWOW64\Belebq32.exe
                                                                    C:\Windows\system32\Belebq32.exe
                                                                    33⤵
                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:2476
                                                                    • C:\Windows\SysWOW64\Chjaol32.exe
                                                                      C:\Windows\system32\Chjaol32.exe
                                                                      34⤵
                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:5044
                                                                      • C:\Windows\SysWOW64\Cfmajipb.exe
                                                                        C:\Windows\system32\Cfmajipb.exe
                                                                        35⤵
                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        • Modifies registry class
                                                                        PID:2160
                                                                        • C:\Windows\SysWOW64\Cjinkg32.exe
                                                                          C:\Windows\system32\Cjinkg32.exe
                                                                          36⤵
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          PID:3268
                                                                          • C:\Windows\SysWOW64\Cmgjgcgo.exe
                                                                            C:\Windows\system32\Cmgjgcgo.exe
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Modifies registry class
                                                                            PID:4452
                                                                            • C:\Windows\SysWOW64\Cabfga32.exe
                                                                              C:\Windows\system32\Cabfga32.exe
                                                                              38⤵
                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:4464
                                                                              • C:\Windows\SysWOW64\Cenahpha.exe
                                                                                C:\Windows\system32\Cenahpha.exe
                                                                                39⤵
                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Modifies registry class
                                                                                PID:1908
                                                                                • C:\Windows\SysWOW64\Cdabcm32.exe
                                                                                  C:\Windows\system32\Cdabcm32.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  PID:816
                                                                                  • C:\Windows\SysWOW64\Cfpnph32.exe
                                                                                    C:\Windows\system32\Cfpnph32.exe
                                                                                    41⤵
                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry class
                                                                                    PID:5028
                                                                                    • C:\Windows\SysWOW64\Cjkjpgfi.exe
                                                                                      C:\Windows\system32\Cjkjpgfi.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:3240
                                                                                      • C:\Windows\SysWOW64\Cnffqf32.exe
                                                                                        C:\Windows\system32\Cnffqf32.exe
                                                                                        43⤵
                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:3592
                                                                                        • C:\Windows\SysWOW64\Cmiflbel.exe
                                                                                          C:\Windows\system32\Cmiflbel.exe
                                                                                          44⤵
                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Modifies registry class
                                                                                          PID:3944
                                                                                          • C:\Windows\SysWOW64\Ceqnmpfo.exe
                                                                                            C:\Windows\system32\Ceqnmpfo.exe
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Modifies registry class
                                                                                            PID:2436
                                                                                            • C:\Windows\SysWOW64\Cdcoim32.exe
                                                                                              C:\Windows\system32\Cdcoim32.exe
                                                                                              46⤵
                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:4500
                                                                                              • C:\Windows\SysWOW64\Chokikeb.exe
                                                                                                C:\Windows\system32\Chokikeb.exe
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Modifies registry class
                                                                                                PID:2956
                                                                                                • C:\Windows\SysWOW64\Cjmgfgdf.exe
                                                                                                  C:\Windows\system32\Cjmgfgdf.exe
                                                                                                  48⤵
                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:1668
                                                                                                  • C:\Windows\SysWOW64\Cmlcbbcj.exe
                                                                                                    C:\Windows\system32\Cmlcbbcj.exe
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:3120
                                                                                                    • C:\Windows\SysWOW64\Cagobalc.exe
                                                                                                      C:\Windows\system32\Cagobalc.exe
                                                                                                      50⤵
                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Modifies registry class
                                                                                                      PID:5000
                                                                                                      • C:\Windows\SysWOW64\Cdfkolkf.exe
                                                                                                        C:\Windows\system32\Cdfkolkf.exe
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:4844
                                                                                                        • C:\Windows\SysWOW64\Cfdhkhjj.exe
                                                                                                          C:\Windows\system32\Cfdhkhjj.exe
                                                                                                          52⤵
                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • Modifies registry class
                                                                                                          PID:2896
                                                                                                          • C:\Windows\SysWOW64\Cjpckf32.exe
                                                                                                            C:\Windows\system32\Cjpckf32.exe
                                                                                                            53⤵
                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:3824
                                                                                                            • C:\Windows\SysWOW64\Cmnpgb32.exe
                                                                                                              C:\Windows\system32\Cmnpgb32.exe
                                                                                                              54⤵
                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • Modifies registry class
                                                                                                              PID:4380
                                                                                                              • C:\Windows\SysWOW64\Cajlhqjp.exe
                                                                                                                C:\Windows\system32\Cajlhqjp.exe
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry class
                                                                                                                PID:4004
                                                                                                                • C:\Windows\SysWOW64\Cdhhdlid.exe
                                                                                                                  C:\Windows\system32\Cdhhdlid.exe
                                                                                                                  56⤵
                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  PID:1508
                                                                                                                  • C:\Windows\SysWOW64\Chcddk32.exe
                                                                                                                    C:\Windows\system32\Chcddk32.exe
                                                                                                                    57⤵
                                                                                                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Modifies registry class
                                                                                                                    PID:2364
                                                                                                                    • C:\Windows\SysWOW64\Cffdpghg.exe
                                                                                                                      C:\Windows\system32\Cffdpghg.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      • Modifies registry class
                                                                                                                      PID:1932
                                                                                                                      • C:\Windows\SysWOW64\Cjbpaf32.exe
                                                                                                                        C:\Windows\system32\Cjbpaf32.exe
                                                                                                                        59⤵
                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Modifies registry class
                                                                                                                        PID:5112
                                                                                                                        • C:\Windows\SysWOW64\Cnnlaehj.exe
                                                                                                                          C:\Windows\system32\Cnnlaehj.exe
                                                                                                                          60⤵
                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:3360
                                                                                                                          • C:\Windows\SysWOW64\Cmqmma32.exe
                                                                                                                            C:\Windows\system32\Cmqmma32.exe
                                                                                                                            61⤵
                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                            • Executes dropped EXE
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Modifies registry class
                                                                                                                            PID:3600
                                                                                                                            • C:\Windows\SysWOW64\Cegdnopg.exe
                                                                                                                              C:\Windows\system32\Cegdnopg.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Modifies registry class
                                                                                                                              PID:912
                                                                                                                              • C:\Windows\SysWOW64\Ddjejl32.exe
                                                                                                                                C:\Windows\system32\Ddjejl32.exe
                                                                                                                                63⤵
                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:4332
                                                                                                                                • C:\Windows\SysWOW64\Dhfajjoj.exe
                                                                                                                                  C:\Windows\system32\Dhfajjoj.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Modifies registry class
                                                                                                                                  PID:4916
                                                                                                                                  • C:\Windows\SysWOW64\Dejacond.exe
                                                                                                                                    C:\Windows\system32\Dejacond.exe
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:4244
                                                                                                                                    • C:\Windows\SysWOW64\Dhhnpjmh.exe
                                                                                                                                      C:\Windows\system32\Dhhnpjmh.exe
                                                                                                                                      66⤵
                                                                                                                                      • Modifies registry class
                                                                                                                                      PID:3516
                                                                                                                                      • C:\Windows\SysWOW64\Djgjlelk.exe
                                                                                                                                        C:\Windows\system32\Djgjlelk.exe
                                                                                                                                        67⤵
                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        • Modifies registry class
                                                                                                                                        PID:3444
                                                                                                                                        • C:\Windows\SysWOW64\Dobfld32.exe
                                                                                                                                          C:\Windows\system32\Dobfld32.exe
                                                                                                                                          68⤵
                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:3884
                                                                                                                                          • C:\Windows\SysWOW64\Daqbip32.exe
                                                                                                                                            C:\Windows\system32\Daqbip32.exe
                                                                                                                                            69⤵
                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            • Modifies registry class
                                                                                                                                            PID:2900
                                                                                                                                            • C:\Windows\SysWOW64\Ddonekbl.exe
                                                                                                                                              C:\Windows\system32\Ddonekbl.exe
                                                                                                                                              70⤵
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Modifies registry class
                                                                                                                                              PID:1752
                                                                                                                                              • C:\Windows\SysWOW64\Dhkjej32.exe
                                                                                                                                                C:\Windows\system32\Dhkjej32.exe
                                                                                                                                                71⤵
                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                PID:3924
                                                                                                                                                • C:\Windows\SysWOW64\Dfnjafap.exe
                                                                                                                                                  C:\Windows\system32\Dfnjafap.exe
                                                                                                                                                  72⤵
                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:968
                                                                                                                                                  • C:\Windows\SysWOW64\Dkifae32.exe
                                                                                                                                                    C:\Windows\system32\Dkifae32.exe
                                                                                                                                                    73⤵
                                                                                                                                                      PID:1740
                                                                                                                                                      • C:\Windows\SysWOW64\Dmgbnq32.exe
                                                                                                                                                        C:\Windows\system32\Dmgbnq32.exe
                                                                                                                                                        74⤵
                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:4828
                                                                                                                                                        • C:\Windows\SysWOW64\Daconoae.exe
                                                                                                                                                          C:\Windows\system32\Daconoae.exe
                                                                                                                                                          75⤵
                                                                                                                                                          • Modifies registry class
                                                                                                                                                          PID:4868
                                                                                                                                                          • C:\Windows\SysWOW64\Ddakjkqi.exe
                                                                                                                                                            C:\Windows\system32\Ddakjkqi.exe
                                                                                                                                                            76⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:2164
                                                                                                                                                            • C:\Windows\SysWOW64\Dhmgki32.exe
                                                                                                                                                              C:\Windows\system32\Dhmgki32.exe
                                                                                                                                                              77⤵
                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                              PID:3056
                                                                                                                                                              • C:\Windows\SysWOW64\Dfpgffpm.exe
                                                                                                                                                                C:\Windows\system32\Dfpgffpm.exe
                                                                                                                                                                78⤵
                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:5140
                                                                                                                                                                • C:\Windows\SysWOW64\Dkkcge32.exe
                                                                                                                                                                  C:\Windows\system32\Dkkcge32.exe
                                                                                                                                                                  79⤵
                                                                                                                                                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                  PID:5172
                                                                                                                                                                  • C:\Windows\SysWOW64\Dogogcpo.exe
                                                                                                                                                                    C:\Windows\system32\Dogogcpo.exe
                                                                                                                                                                    80⤵
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:5212
                                                                                                                                                                    • C:\Windows\SysWOW64\Daekdooc.exe
                                                                                                                                                                      C:\Windows\system32\Daekdooc.exe
                                                                                                                                                                      81⤵
                                                                                                                                                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                      PID:5244
                                                                                                                                                                      • C:\Windows\SysWOW64\Deagdn32.exe
                                                                                                                                                                        C:\Windows\system32\Deagdn32.exe
                                                                                                                                                                        82⤵
                                                                                                                                                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                        PID:5284
                                                                                                                                                                        • C:\Windows\SysWOW64\Dddhpjof.exe
                                                                                                                                                                          C:\Windows\system32\Dddhpjof.exe
                                                                                                                                                                          83⤵
                                                                                                                                                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                          PID:5316
                                                                                                                                                                          • C:\Windows\SysWOW64\Dhocqigp.exe
                                                                                                                                                                            C:\Windows\system32\Dhocqigp.exe
                                                                                                                                                                            84⤵
                                                                                                                                                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                            PID:5352
                                                                                                                                                                            • C:\Windows\SysWOW64\Dgbdlf32.exe
                                                                                                                                                                              C:\Windows\system32\Dgbdlf32.exe
                                                                                                                                                                              85⤵
                                                                                                                                                                              • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:5392
                                                                                                                                                                              • C:\Windows\SysWOW64\Dknpmdfc.exe
                                                                                                                                                                                C:\Windows\system32\Dknpmdfc.exe
                                                                                                                                                                                86⤵
                                                                                                                                                                                • Adds autorun key to be loaded by Explorer.exe on startup
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                PID:5424
                                                                                                                                                                                • C:\Windows\SysWOW64\Dmllipeg.exe
                                                                                                                                                                                  C:\Windows\system32\Dmllipeg.exe
                                                                                                                                                                                  87⤵
                                                                                                                                                                                    PID:5464
                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 416
                                                                                                                                                                                      88⤵
                                                                                                                                                                                      • Program crash
                                                                                                                                                                                      PID:5780
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5464 -ip 5464
        1⤵
          PID:5648

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Baicac32.exe

          Filesize

          272KB

          MD5

          cd710e0ca50d8f578c28884f16594f29

          SHA1

          b583edddee986024422d3797b2c764558f50c4cc

          SHA256

          7b3bca5709bfa9bc1b9c7e30bcb90b3ce057588e78b543c8277a1117a8c79af5

          SHA512

          ffa4415e7a7edc7c437d952746b3c44295e74a472e053aa6de560c1572fab035b9e8a0c090c2bb739bf58159a322bec3987abce4f3bfe6452a8fdbe08054b319

        • C:\Windows\SysWOW64\Balpgb32.exe

          Filesize

          272KB

          MD5

          71d74ba9e5168d479858b73759315d1d

          SHA1

          c311a0cc2c48f6014ae61616972df98f833879c2

          SHA256

          9a1fa44e87ae201721917d11eec4abc13a2d6d75d763e21772b583ac23e2ce97

          SHA512

          d666704a2790cfbb94a14e1302e0cad42e0c5551ab9c396ff6e8934456f117d32c0edae5ce6d02ed6accd5e07d0625d089dfa242ac3d647fb8bf191d21afe169

        • C:\Windows\SysWOW64\Banllbdn.exe

          Filesize

          272KB

          MD5

          f044fd509f2fc2ab0d7126c23abd12d2

          SHA1

          680f9ff527182e0c0f2b16efcadbf96257453799

          SHA256

          821e22d0b87e69e749f14f79f70c19eb2347f4fd773c9dba19ea3e043c14a9dc

          SHA512

          0b37ea304a16a366d88bf1332aaf62f8347719c3c034c0618dbf72500631452b8faf8789a93bab274e00fb419eda8bd7a615676433d3f2519ccc5b50d0f55331

        • C:\Windows\SysWOW64\Bapiabak.exe

          Filesize

          272KB

          MD5

          decb03d334afb4f83a40386a14ef1699

          SHA1

          1648e76b4d0ec88a670dd85215baccc9c9a0e70f

          SHA256

          910d0bbe2a5f5e3f515a0992f4320711f09fb5d38e58586f68fd541ef9f743c7

          SHA512

          1ddb7c1ea9faed14bd90930909ccf6f512cfadec02f538f93f8b645064c901be362f3142dd49a50a2c3fdedaefce7a378d5ff47f1209583a58456725b3915b95

        • C:\Windows\SysWOW64\Bcebhoii.exe

          Filesize

          272KB

          MD5

          f0e5a43da12d153635df11ade93bebe0

          SHA1

          ac432ef16f2981a4af3cda1146e86b172d8a645d

          SHA256

          1b2d2806b08b24c1bdee7bff56c8abc245544c33f986cb9bcb98dea89c34f4a3

          SHA512

          86a0ae4b6f310d353fb6220f540694046fe44dda74761931770c96bf2c86aeb0ad0c91f0644848277546ea43865cd6923a9a83f03dfb3245864f0af1223b4e54

        • C:\Windows\SysWOW64\Bcjlcn32.exe

          Filesize

          272KB

          MD5

          2c8ba982e00c58a2e6136f1619a020b1

          SHA1

          c344c17be52a0bf3a68bf2fb8bb861ac82466899

          SHA256

          b2fbe34b89b84efead128eddd86e66c30c3d490dfc61e6e7a4622ff4da5fa5c0

          SHA512

          25e8eccb4d89d3816dda78237fe91778265a0bcf9e72f504fbb9d4f380f6afda4e9b4a01afdc2714c7d721bbd128eb0e904950f1691fddde89d618043816c161

        • C:\Windows\SysWOW64\Bclhhnca.exe

          Filesize

          272KB

          MD5

          2d77b519f4269a4c0f6c72a8a47c9a1a

          SHA1

          6bf9250d05e73d91335b9f9569c77d2ca722604f

          SHA256

          1175cbcc2bf3d9d250e98e2d8caf6036ad95f6bb7ae2eee92cdc863f93087dc9

          SHA512

          cf786ac576046ff15a18f449d57d35cf5d01f22ec8040802561e9dcd50997f11abfb1355cb6317cec404569ec271966e8c334e8c03208516448d3e53b35ec9e6

        • C:\Windows\SysWOW64\Bebblb32.exe

          Filesize

          272KB

          MD5

          a5e487a1bd4b54ee226de32860f262d3

          SHA1

          331c54511419db78fb3996c6042a859e950608b7

          SHA256

          ea4de6e6cd84d2744db06e0ea4d585f17879b6311cfd3c5eed0939bc1bb1bc1a

          SHA512

          527f836df095a4fd0829323ee658367df86f0fc58467eccd3a6d44f65f512172356b71b544f0efee2e4da1d26be5051673f3fe9510222a4c123bd0e662687bcd

        • C:\Windows\SysWOW64\Beeoaapl.exe

          Filesize

          272KB

          MD5

          0ff8a17445e788edaa072864514d88ac

          SHA1

          831f63c0d865bf9287724c71f2f8d0d29210e02f

          SHA256

          abc878c1cf62f336c2bc2b196c51ab758e065d503c0f30b4fe46ad8dffaf8eeb

          SHA512

          8362892acc2e1972ec7a3bb8449f68677ad23c79ee84429695bacbf1d5f8123865ae14c0f61a915fa57ad4c8b760ee8ed68b8643fdc56351d272355c34613077

        • C:\Windows\SysWOW64\Beglgani.exe

          Filesize

          272KB

          MD5

          84a82225324d8aa36d0fb3f3e3cdbf77

          SHA1

          052a99d37d59aeaebd35a994600f1d3e352d265b

          SHA256

          a905cb83225931b2293761f015f4b79076ebbfda36ddabcb7c133680985c4ec6

          SHA512

          6fef6db83f57035ec83ed08078668f9d1ea94874443bd7d05f7df87cad3dc2490e1cf6230543503aa13150ff0bbb170de4a9b55e7bb3ee320a056aa6235ff959

        • C:\Windows\SysWOW64\Beihma32.exe

          Filesize

          272KB

          MD5

          ad5c9be5676fbd5cd1f1a6b950016ce0

          SHA1

          241d7681f60f830357a5b32db4d4c9e784269039

          SHA256

          d290e8b705aeb48f415dbeb0d40dbad693d3e86bfd41708221acf2992aec0846

          SHA512

          40dee830cd5e79b7f03ae9eb3f3f90c75ffe13ec37083bd840d681face6524ed97e82d1bf488d58aadbfc1f67598d972c53ab51d3daac4fd51b455ac3856e297

        • C:\Windows\SysWOW64\Belebq32.exe

          Filesize

          272KB

          MD5

          5cbeccca50340d78bb326c3f5de1e91c

          SHA1

          57454b494045af28978e6c040a1b2576546f94e0

          SHA256

          0068a729574fc6cf6da386d2016d51d5de1bd0629ebdd8ec5af0319df7125617

          SHA512

          345542b8754a3f1dccde45b2922a6bfb6224fe49e467be2e76f6d16dc9f3a3318ccd817e65b896d25b0c0255a82b52a1d89318ab6c2c2d7eda1625a0223b5931

        • C:\Windows\SysWOW64\Bfabnjjp.exe

          Filesize

          272KB

          MD5

          4894e7f40262ec3d44c6d5a0e3582d72

          SHA1

          a6c1e01f5e2185a66f45d3923572b5bbc910eaa1

          SHA256

          f75bbe7bddad46b12ad1a85aee831d8b03fc71b3c29f618ebcfe8669375154e9

          SHA512

          e997a3785cdc75961b467cd7d4d71e859e506f94b1444bb6aa50eca836480b069e15f3fe03fb114251025124153b01707b10186c8209ebc7229813e447d61b7e

        • C:\Windows\SysWOW64\Bfdodjhm.exe

          Filesize

          272KB

          MD5

          273dbf739b1f95234899f7f8b9f90ca6

          SHA1

          3a01b4ca30714fc7aa076aa654d44d966fd3441e

          SHA256

          2b52a68e45207f00882dec94f242a50b15fde4ce9283edd2be4838f28727e0a3

          SHA512

          e6f7b7df1e86c1b88d3d9e63a6edf58e621ecec5f5efd4589e48d38c2d495a95ea5410b0eb2e42edbbec6d0325ebf063a2718ea8f5832af3b3aa75ea9d33f5c3

        • C:\Windows\SysWOW64\Bffkij32.exe

          Filesize

          272KB

          MD5

          cedff1c416c0417d4f1059e2c2419b77

          SHA1

          843dda1bea1a1ee38c20fa4079d1cce6c3e78468

          SHA256

          610cb58278442e6ac7772e7710a1a772e90cce41bf578ceaef02599a193bc627

          SHA512

          9a66f71d2344fbf4bf3f440908fe1ea6273ddbaa99d1aba1b66dfbe616cbbef9316785bf664665f5019634f46e554ca323769c019c393c77d308f55a84bafc8e

        • C:\Windows\SysWOW64\Bfhhoi32.exe

          Filesize

          272KB

          MD5

          cb510bdc47c674412264510dc2a81466

          SHA1

          2ed5f8ee4f347a493eef5b5fbede6784c13a4486

          SHA256

          ade0ff3ff167e0c8a5938b1d38cd1fef1f7419202b53f9e83e6d1e5c1c4c0170

          SHA512

          d8f2e4efafd07dd5a74c25abb00de92934c33aa5ce0f8f9b18f57e3e5f8fab13452cb746967fe871caabbc286751dea0d54759c8b7ce8c4a6ee91f420c1e5fdf

        • C:\Windows\SysWOW64\Bfkedibe.exe

          Filesize

          272KB

          MD5

          3ade195b73e21c8dfc81b90e7a392149

          SHA1

          bf984924895ac4593c893dbd7137baec41b084a7

          SHA256

          6a216dcb7089ad15779570e95dcc5492dfad9aef97e2c55cac703fc6a002cd27

          SHA512

          12fd21dbcd57e88be8e6c810d6522131b874bdb37235b69618c0924b29f35c9b6759b0c415c8559e3d79267257834d16ea51fe5eb84c602d141b91a8369182c8

        • C:\Windows\SysWOW64\Bgcknmop.exe

          Filesize

          272KB

          MD5

          81499b3ae4042e52e929e2ff8e064d3b

          SHA1

          2b6fdf598c71d3158aac3deb37bf4db1225dc3b2

          SHA256

          dbd8352b0b4969b2e286d25e17a1a3a2a4b4b7a9b3dd0d9df1c7b71e9207076b

          SHA512

          89ec75a7fef69b6fad62f542f088933f2265a327742068403c05100a2919a56886d40fb88341b7621356ff2ebb8613048988b2a13a8d966cd2f0acfe75045cfd

        • C:\Windows\SysWOW64\Bgehcmmm.exe

          Filesize

          272KB

          MD5

          d5ad380e938f27ffb87958a81f29d6de

          SHA1

          5b5ff7fae6db1f9db4090542a3067d885802edc6

          SHA256

          f1caadd532bd9ef3a2c5e78ad1e2d22544dfd07b39f32cf83bdd78dd63272a61

          SHA512

          5af3efb4d98a6a16f29b73480affecd0cd4bb0912381d5195386b5a1cda3399b13e05bdbb542b04280b80b30b545c732428538a5cd23dc0b61e8da320783f0f5

        • C:\Windows\SysWOW64\Bhhdil32.exe

          Filesize

          272KB

          MD5

          67340fda272d6a7ec98e8b8508578e30

          SHA1

          66a39da6cc3163b5da698dfffb98d04ed8576c72

          SHA256

          01d1b9255ff05569ddd39f74fca9715a1c5c3d9a0dd76c2fdabb70e2010a25cb

          SHA512

          dbc5bf00800fa6d7eccd7c49451641e5caf5a7183715003b2ccc7fffcc31d2e99c01a35a70a65f2875f97cb4e01e30605b6f9beda9d6b4d8649d8566cbfe8da6

        • C:\Windows\SysWOW64\Bjddphlq.exe

          Filesize

          272KB

          MD5

          4d3601ca0381076340b09b3268774ec2

          SHA1

          73f240d86da6c0a4790213212c8dedddd5097df8

          SHA256

          46ea1963ab923ca7c948ee5601c48c171dfee65515f21da6dbcb0796d3a98e9c

          SHA512

          475337b68839c33e59c6805ff9514bc0fe60cf232cd86b433e6b9e8e30aea69f4f4a7261e7d86b628423a21a3998d6d7dc0bdfd6e33fe49bd0794ba03bf88fa7

        • C:\Windows\SysWOW64\Bjfaeh32.exe

          Filesize

          272KB

          MD5

          305a46720905790b9a43d931a20ff5f0

          SHA1

          6ed80a804dbaea6de078cef373b354f952a2d0d8

          SHA256

          00732d52009c911e7b6b01116184a08c38689a034fe4e4d374d4b10e6955e9bc

          SHA512

          f0fe6a2358a57f2ec61e30e718d0624413df0132f38ee9a2bede13f8e0164a967960920eca8911f11c58ff06a4befd6f18c47ea897311d4d30482201e401f823

        • C:\Windows\SysWOW64\Bjokdipf.exe

          Filesize

          272KB

          MD5

          d9ae5a062b567e0c9da0d8a96da436b0

          SHA1

          1222cd1539bf42c35e76934dd6b3fe58529aa08c

          SHA256

          bc19df5ac528668b8ba9563fea5f5bd9f016fbb51f1b88a081efca3988688ed1

          SHA512

          cb673aaa53420bdc00e9381aa248a2a34fb1799816d00a172280c9eaac07fe85b226b3082f4cf86cc83312f913da951bcdce75d4e8858b0cf43db81f8532a97d

        • C:\Windows\SysWOW64\Bmbplc32.exe

          Filesize

          272KB

          MD5

          fb5aefb6ca04d042a8127c4a2412e698

          SHA1

          d1c3a599902035ec570292ef36bc7cbc2d2bafff

          SHA256

          b75858af4126c60442f3cf49ad157dd64f9d49073edf64e795da50456fb37117

          SHA512

          feebc9833f3990a1242d580045f949bba252a751ac6d65d9fae5acc7c59bf81e6e99e476e2a8ded51caa95dff74159e37f0a67542e90872d5874befdd949f380

        • C:\Windows\SysWOW64\Bmemac32.exe

          Filesize

          272KB

          MD5

          f396346b585a53e58a25252ff1c9997d

          SHA1

          b2a9127a84620d3adb989f577ef23b93a9f7e356

          SHA256

          f70adcec918f353888d468243f2696719800e4d30771a58a7847c71055c69a4b

          SHA512

          6463c31ee55ea356e73455832a004b55e780fbd4a0095fe9e5f2d4d641ede072493f0a78bb2c46aef315ace87d366c80f609e14b06878e7d3b0c04febceac5a1

        • C:\Windows\SysWOW64\Bmkjkd32.exe

          Filesize

          272KB

          MD5

          6c120f4296a268ce72156968b08db85a

          SHA1

          bfd577769a2d2993fea879d8d44696adf8bb1d4e

          SHA256

          d8e0e58219976c9604ff1a4035eebbb707e28be5be6fae1a1d9d23518e184348

          SHA512

          a66b482ea961c2bc5cd774b2a4b5fcc1159826cd974b133fb22c75564a59b3094df1291f5f8dea6a365cec08743faacabe716e97260a15a70fcd25e03316cb50

        • C:\Windows\SysWOW64\Bmngqdpj.exe

          Filesize

          272KB

          MD5

          ea1c18d479f15b1448381276b95162f1

          SHA1

          97ab381397fbbb7662328548add3018dd389b861

          SHA256

          53bff883cfc00d3cb7cf1c3dcca58962e687e5440b4cd58f605ed7dc810292df

          SHA512

          aa9f244eaf67eba28c5d0a26b16bf3a5ed440ef7409294155471c34e9f1e36824b1c4864a9ea3510c9a7b269c85752d6c79256e84bf3314e44e69a4ff5d4de8b

        • C:\Windows\SysWOW64\Bmpcfdmg.exe

          Filesize

          272KB

          MD5

          b890cc13f8328031673d2b8d3fe3d130

          SHA1

          4215961b3b4c002f43b8bcbf97609bdd5151edf6

          SHA256

          c54c91f5e72867e6fd303adf99a742e53256340ddd5c0f7b9e7093f793090b56

          SHA512

          c33b6dba743f5e86302234a3b09943f3e04de8c5ff882653a78ec65a88220a345a96a81127063ace6e9e7fcc3ebb6060ade98798e29f2ae921089dcc737bb52b

        • C:\Windows\SysWOW64\Bnbmefbg.exe

          Filesize

          272KB

          MD5

          2de04bc39d59d013344064786ecbd3ab

          SHA1

          2afd4dd99f3e1e31519807e27964ed403349cb0c

          SHA256

          10eacc01f89d3a55e0afaed552f2f5643c53a26304602c4e371b28e363d7de17

          SHA512

          db6ae4add4a394f82200a5bc9cdf4d840dff3b4d09cda62199c634395cf6325fa8017f54c39e11fe9e1cc1bf130ec5274752861c9e3a88348e08d9f2e8fcdc5f

        • C:\Windows\SysWOW64\Bnhjohkb.exe

          Filesize

          272KB

          MD5

          d01fa7f2af544e7b04d00bdd1273e836

          SHA1

          f985e0778809c9a34e0b565fa2e95a054382f278

          SHA256

          04fb15590962fb2153e1b4a07ccfedb91d041d015130e50aaefa1ece3378bdb2

          SHA512

          f9d5ada06727e15081b167a60194745588cf762628feb204b41de8ce836a2647335607f9be5c639c79b51c6f7b852be78dc7a8783aa1631108e1541b1789174c

        • C:\Windows\SysWOW64\Bnmcjg32.exe

          Filesize

          272KB

          MD5

          89b700422715c61252338dae416a9717

          SHA1

          ac63659417c9e94e91b06eeef4e6495e3dad1f6b

          SHA256

          b9eb9713763e06b4aa15dc99ebdca875d9803988042fb75f41522f38065f61c7

          SHA512

          fad891e400bc6db763f17b8eb73417c9627b36894ea8f8f33b588f5af438cef419c510db0ba0dc1ed4e5a2d6608b8c4d4a6ceae902ad688d85367a073a02af96

        • C:\Windows\SysWOW64\Bnpppgdj.exe

          Filesize

          272KB

          MD5

          2cf2e02d6f8f0ee4bec24c52fd44e6e7

          SHA1

          b151446bd90505c4e8f4028dbc12674ba84a41c7

          SHA256

          c2e0b7c8679c1c97c2bd00e7bc04229ee33be4c5dd466b12cc931b016091f0b9

          SHA512

          bd291d2b954f020c786314651e44d14167d4f9b67e41f257287c5534e6db5ced5653c2bf26450beaf51318d9ecda26bae91ed11d38c535584debd99ec5fe23d7

        • C:\Windows\SysWOW64\Eeiakn32.dll

          Filesize

          7KB

          MD5

          be9a17f79f664c3b27bd5de7ccafaad0

          SHA1

          5400541a60695d68c6ea16c30fa293c7bf633ef0

          SHA256

          f85b6b56361996c5c30e153afde9f2b1d05252a7f2565a26a0636a7bd0bdbbc9

          SHA512

          37e8e3f33dd619e7f3d4482862e1376293e1e94b3382010eb16a757f6b191e3b0919e230b03bc0e3564b466682d5ffb6e57134006a42a1973c7d2d772fbfbd24

        • memory/372-391-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/684-404-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/744-389-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/816-417-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/912-554-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/948-387-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/968-562-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1192-398-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1204-386-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1388-397-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1508-548-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1668-425-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1676-405-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1740-563-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1752-560-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1896-407-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1908-416-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1932-550-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2024-393-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2160-412-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2164-566-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2320-28-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2364-549-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2436-422-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2476-410-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2608-395-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2756-388-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2892-390-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2896-544-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2900-559-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2936-578-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2956-424-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3000-392-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3056-567-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3120-426-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3240-419-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3268-413-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3324-384-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3360-552-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3444-557-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3456-383-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3516-556-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3548-20-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3592-420-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3596-400-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3600-553-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3636-403-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3680-394-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3824-545-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3884-558-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3924-561-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3944-421-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4000-396-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4004-547-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4020-399-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4228-669-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4228-0-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4244-580-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4332-555-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4380-546-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4452-414-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4464-415-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4500-423-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4564-408-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4672-385-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4828-564-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4844-543-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4868-565-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/4916-579-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5000-542-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5008-667-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5008-8-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5028-418-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5036-409-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5044-411-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5068-401-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5088-402-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5108-406-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5112-551-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5140-568-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5172-569-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5212-570-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5244-571-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5284-572-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5316-573-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5352-574-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5392-575-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5424-576-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/5464-577-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB